Security & Data Protection
Amazon DPP-alignedLeast-PrivilegeEncryption-First
This document summarizes the security controls for the administrative Portal on bigdealsupplyadmin.online. Where Amazon data is processed (e.g., via SP-API), our controls align with Amazon’s Data Protection Policy (“DPP”).
1) Governance & Responsibilities
- Documented security policies; roles defined (system owners, admins, incident leads).
- Quarterly access reviews; periodic security training for administrators.
2) Identity & Access Management
- Individual accounts only; no shared credentials.
- Strong passwords (12+ chars); TOTP-based MFA supported and enforced where required.
- Least-privilege permissions; prompt revocation on role change/termination.
- Session hardening:
Secure, HttpOnly, SameSite=Lax cookies; short-lived 2FA windows.
3) Cryptography
- Encryption in transit with TLS 1.2+ end-to-end.
- Encryption at rest for regulated data using industry-standard ciphers (e.g., AES-256) where stored.
- Secrets management: credentials and API keys are restricted and rotated per policy.
4) Network & Perimeter
- Cloudflare WAF/DDoS protection; HTTPS-only with HSTS.
- IP throttling and login rate-limiting; bot mitigation (Cloudflare Turnstile, when enabled).
5) Application Security
- Defense-in-depth: CSRF protection on state-changing endpoints; strict allow-listing for file access.
- Direct access to
/hornet/*.html is blocked by the web server; content is served only via an authenticated guard.
- Input validation, output encoding, and secure error handling.
6) Logging, Monitoring & Alerting
- Failed logins and security events are recorded and periodically reviewed.
- Cloudflare notifications for SSL, availability, and WAF events.
7) Data Minimization, Retention & Disposal
- Store only what is necessary for operations; avoid exporting regulated data.
- Security logs retained ≥90 days (unless investigation requires longer).
- Where Amazon PII is processed for order fulfilment, retain no longer than operationally necessary and, in any case, not beyond 30 days after fulfillment unless legally required. Secure disposal per NIST-aligned methods.
8) Incident Response
- Documented IR plan: detection, triage, containment, eradication, recovery, and post-incident review.
- If an incident impacts Amazon data or obligations, notify Amazon per their requirements (e.g.,
security@amazon.com) within required timelines, and provide relevant details (nature, scope, data elements, remediation).
9) Vendor & Subprocessor Management
- Vendors are vetted for security posture and bound by contract to protect data.
- Data transfers follow least-privilege and need-to-know principles.
10) Backups, Business Continuity & DR
- Backups for critical configurations and data (if stored) are protected (encryption & access controls).
- Documented restoration and continuity procedures; periodic tests where applicable.
11) Amazon PII Handling (If Applicable)
- Access limited to authorized personnel with business need.
- No local storage on unmanaged devices; no sharing via email or chat; no third-party analytics on PII views.
- Masking/redaction in UI where feasible; structured export controls disabled by default.
security inquiries: kozcuhadar@bigdealsupply.com
BIGDEALSUPPLY LLC • +1-917-477-3655