DATA PROTECTION

Data Protection

How emit-erp handles data obtained via Amazon SP-API — aligned with Amazon DPP.

Home/Data Protection

Last updated: 2026-05-22 · Amazon DPP ComplianceDescription

Data Protection (Data Protection Statement)

This document describes how Shenzhen Renli Technology Co., Ltd. handles data obtained via Amazon SP-API (especially PII) in emit-erp, to comply with Amazon Data Protection Policy (DPP) and applicable laws.

1. Data Classification

CategoryTypical FieldsPII?Retention
Buyer infoName, shipping address, email, phoneYes (PII)≤ 30 days
Order business dataOrder ID, SKU, amount, statusNoService period
Inventory & FBA DataSKU, stock level, inbound IDNoService period
Ads & ReportsCampaigns, keywords, reportsNoService period

2. Data Collection

All data is obtained only after you actively complete OAuth in Amazon Seller Central. emit-erp, acting as a Selling Partner App, calls SP-API endpoints on demand (Orders v0, FBA Inventory v1, Reports 2021-06-30, Advertising API). We do not store your Amazon password, and never access data outside the authorized scope.

3. Data Transmission & Storage

  • encryption in transit: Client ↔ emit-erp uses TLS 1.2+; emit-erp ↔ Amazon SP-API uses HTTPS + AWS SigV4 signing.
  • encryption at rest: Databases and object storage use AES-256; keys managed by independent KMS with periodic rotation.
  • Regional isolation: North America in AWS us-east-1; Europe in AWS eu-west-1; Far East in ap-northeast-1; no cross-region replication.
  • backups: Daily encrypted snapshots; backup media also encrypted; backups auto-destroyed after 30 days.

4. Access Control

  • Principle of least privilege;
  • R&D, operations, and customer service belong to separate IAM groups by role;
  • Two-factor authentication (2FA) required for all production system access;
  • All access and export operations on PII are fully logged; logs retained for 1 year.

5. Data Retention & Deletion

  • Buyer PII: up to 30 days from acquisition, auto-purged from production and backups on expiry;
  • Billing and tax records: retained 7 years per law, but only de-identified -de-identified statistical fields are kept;
  • Authorization revocation: sync stops within 72 hours; PII deleted within 30 days; all business data deleted within 90 days;
  • On-demand deletion: request immediate deletion via Contact Us; tickets closed within 7 business days.

6. incident response

In the event of a data security incident:

  • Initiate the incident response process and isolate impact within 24 hours;
  • Notify Amazon and submit an incident report within 72 hours (per DPP § 9.1);
  • Notify affected users and take remediation actions per applicable laws including GDPR, CCPA, PIPL.

7. security assessment

  • Annual independent third-party penetration testing and security assessments;
  • Quarterly internal vulnerability scans and code audits;
  • SDLC integrated with SAST / DAST / SCA tooling.

8. Data Protection Officer (DPO)

  • Company: Shenzhen Renli Technology Co., Ltd.
  • Email: emit-erp@hotmail.com(please include "DPO" in subject)
  • Phone: (+86)18098973306
  • Address: Building A, A328, Fuhai Tech Industrial Park, Bao'an District, Shenzhen (Qianhai Cooperation Zone)