Data Handling Policy

Last Updated: November 1, 2024

1. Introduction

This Data Handling Policy outlines Gut Vitality's comprehensive approach to managing customer data throughout its lifecycle. Our policy particularly focuses on Amazon Information received through the Selling Partner API (SP-API) and establishes the framework for secure, compliant data handling practices.

We're committed to protecting your data and privacy.

We're dedicated to maintaining the highest standards of data security.

This policy applies to all employees, systems, and processes involved in data handling operations.

2. Data Classification

Understanding and properly classifying different types of data is crucial for applying appropriate security controls and handling procedures. We categorize data based on sensitivity and regulatory requirements.

2.1 Types of Information

Personally Identifiable Information (PII)

This category requires the highest level of protection and includes:

  • Customer Names

    Full names of customers are treated with strict confidentiality and access controls.

  • Shipping Addresses

    Physical delivery locations are encrypted and accessible only for fulfillment purposes.

  • Email Addresses

    Contact information is protected and used solely for order-related communication.

  • Phone Numbers

    Contact numbers are secured and used only for delivery-related communication.

Order Information

Transaction-related data requires moderate to high protection:

  • Order Numbers

    Unique identifiers used to track and manage purchases.

  • Purchase History

    Records of customer transactions maintained for business and support purposes.

  • Transaction Details

    Specific order information including products, quantities, and dates.

Business Information

Operational data requiring standard business protection:

  • Product Inventory

    Stock levels and product availability information.

  • Sales Analytics

    Aggregated sales data and performance metrics.

  • Shipping Statistics

    Delivery performance and fulfillment metrics.

3. Data Collection and Processing

3.1 Collection Methods

We employ secure, authenticated channels for all data collection activities. Our collection methods are designed to ensure data integrity and security from the point of capture.

  • Amazon SP-API Integration

    All Amazon data is collected through the official SP-API using OAuth 2.0 authentication. This secure channel ensures data authenticity and maintains compliance with Amazon's requirements.

  • Encrypted Connections

    All data collection occurs over HTTPS connections, utilizing TLS 1.2 or higher to protect data in transit.

  • Secure Form Submissions

    Web forms implement CSRF protection, input validation, and encryption to protect submitted data.

3.2 Processing Guidelines

Our data processing follows strict principles to ensure security and compliance:

  • Minimum Necessary Access

    Processing is limited to essential business functions, with access granted only to authorized personnel.

  • Purpose-Specific Processing

    Data is processed only for its intended, documented purpose, with clear boundaries on usage.

  • Secure Processing Environments

    All data processing occurs within secure, monitored environments with appropriate access controls.

  • Audit Trail Maintenance

    Comprehensive logs are maintained for all processing activities, enabling full accountability.

4. Data Storage

4.1 Storage Infrastructure

Our storage infrastructure is built on AWS, providing enterprise-grade security and reliability:

  • PostgreSQL RDS

    Primary data storage using encrypted PostgreSQL databases with automatic backup and failover capabilities. All data at rest is encrypted using AES-256 encryption.

  • Private VPC Subnets

    Databases are hosted in private subnets, inaccessible from the public internet and protected by multiple security layers.

  • AWS KMS Integration

    Encryption keys are managed through AWS KMS, ensuring secure key rotation and access control.

  • Encrypted Backups

    All database backups are automatically encrypted and stored in secure, redundant locations.

4.2 Access Controls

We implement comprehensive access controls to protect stored data:

  • Role-Based Access Control (RBAC)

    Access permissions are assigned based on job roles and responsibilities, ensuring minimum necessary access.

  • Multi-Factor Authentication

    All access to sensitive data requires MFA, adding an additional layer of security.

  • Regular Access Reviews

    Access permissions are reviewed quarterly to ensure appropriate access levels are maintained.

  • Audit Logging

    Comprehensive logs are maintained for all data access attempts, successful or failed.

5. Data Transmission

Our data transmission security ensures information integrity and confidentiality during transfer:

  • TLS Encryption

    All data transmissions use TLS 1.2 or higher, ensuring secure communication between systems.

  • Secure Endpoints

    API endpoints implement authentication, rate limiting, and monitoring to prevent unauthorized access.

  • Encrypted Channels

    All data streams are encrypted using industry-standard protocols and ciphers.

  • Network Security

    Comprehensive monitoring and intrusion detection systems protect data during transmission.

6. Data Retention and Disposal

6.1 Retention Periods

We maintain strict data retention policies aligned with business needs and regulatory requirements:

  • Amazon PII

    Retained for 30 days post-delivery, after which it is automatically purged from our systems.

  • Transaction Records

    Maintained for 7 years to comply with legal and tax requirements, with PII removed after the minimum necessary period.

  • Inventory Data

    Kept for 2 years to support business analytics and planning.

  • Access Logs

    Retained for 1 year to support security auditing and incident investigation.

6.2 Disposal Procedures

Data disposal follows secure procedures to prevent unauthorized recovery:

  • Automated Deletion

    PII is automatically deleted after the retention period using secure deletion methods.

  • Secure Wiping

    Data is securely wiped using industry-standard methods to prevent recovery.

  • Backup Purging

    Backup data is systematically purged following retention period expiration.

  • Hardware Decommissioning

    Physical media is securely wiped or destroyed following industry best practices.

7. Security Controls

7.1 Technical Controls

Our comprehensive technical security controls protect data at all levels:

  • Network Security

    Multilayered protection including firewalls, WAF, and intrusion detection systems.

  • Encryption

    Industry-standard encryption protocols protect data at rest and in transit.

  • Access Management

    Granular access controls and authentication mechanisms protect resources.

  • Monitoring Systems

    Continuous monitoring for security events and anomalies.

7.2 Administrative Controls

Administrative procedures ensure consistent security implementation:

  • Security Policies

    Comprehensive policies govern all aspects of data handling and security.

  • Access Reviews

    Regular reviews ensure appropriate access levels are maintained.

  • Change Management

    Controlled processes for system and security changes.

  • Security Training

    Regular training ensures staff awareness of security requirements.

8. Incident Response

Our incident response procedures ensure rapid and effective handling of security events:

  • Immediate Actions

    Procedures for immediate containment and assessment of security incidents.

  • Investigation Process

    Thorough investigation protocols to determine incident scope and impact.

  • Amazon Notification

    Immediate notification to security@amazon.com for relevant incidents.

  • Customer Communication

    Procedures for notifying affected customers when required.

9. Compliance and Auditing

Regular compliance activities ensure ongoing security effectiveness:

  • Security Audits

    Regular internal and external security assessments verify control effectiveness.

  • Vulnerability Assessments

    Regular scanning and testing identify potential security weaknesses.

  • Policy Reviews

    Periodic review and updates of security policies and procedures.

  • Access Audits

    Regular verification of access control effectiveness.

10. Contact Information

For any questions or concerns regarding data handling procedures, please contact:

Dr. Adam Dalton
Gut Vitality
Email: security@gut-vitality.com

We aim to respond to all security and data handling inquiries within 24 hours of receipt.