Plusranger Data Protection Policy

Plusranger Data Protection Policy

Updated Date: 1 January 2025

1. Purpose and Scope

This Data Protection Policy (“Policy”) outlines the technical, administrative, and organisational measures employed by Plusranger to protect and handle data vended or retrieved via the Amazon Services API in accordance with:

  • The Amazon Services API Developer Agreement (August 2024)
  • The Amazon Data Protection Policy (DPP)
  • The Acceptable Use Policy (AUP)
  • Applicable laws and regulations, including UK data protection legislation (e.g. UK GDPR)

This Policy applies to all Plusranger systems, processes, and personnel involved in the receipt, storage, usage, transfer, and disposal of Amazon Information.

2. Security Controls

  1. Physical, Administrative, and Technical Safeguards
    • We enforce secure access to databases, file servers, and internal networks using multi-factor authentication (MFA), firewalls, and segmentation.
    • Our employees undergo regular security awareness training, covering data protection, IT security best practices, and updates on relevant Amazon Policies.
  2. Network Protection
    • Firewalls, intrusion detection/prevention systems (IDS/IPS), and anti-malware tools are regularly updated and monitored to block unauthorised access.
    • Only authorised personnel with coding or operational responsibilities (and who have completed data protection training) can access servers hosting Amazon Information.
  3. Access Management
    • We assign unique user IDs to each individual with access to Amazon Information.
    • Shared or default credentials are prohibited, and accounts are locked after anomalous activity or multiple failed attempts.
    • User access is reviewed quarterly, and accounts of departing employees are disabled within 24 hours.
  4. Least Privilege Principle
    • Access is granted on a “need-to-know” basis.
    • Fine-grained role-based access control (RBAC) ensures employees only see data necessary for their assigned tasks.
  5. Credential Management
    • Passwords meet Amazon’s minimum requirements: at least 12 characters, mixed complexity, 1-day minimum age, 365-day maximum expiry.
    • All API keys provided by Amazon are encrypted, and only approved employees may handle them.

3. Encryption and Data Retention

  1. Encryption in Transit and At Rest
    • All data transferred between Plusranger systems and Amazon endpoints uses TLS 1.2+ or equivalent secure protocols.
    • Data at rest is encrypted using AES-256 or stronger. Keys are securely managed to prevent unauthorised use.
  2. Data Retention
    • Personally Identifiable Information (PII) is retained no longer than 30 days after order delivery, unless retention is legally required (e.g. VAT/tax obligations).
    • Records exceeding mandated retention are securely deleted in accordance with NIST 800-88 standards.

4. Incident Response and Risk Management

  1. Risk Assessment
    • Plusranger’s senior management annually reviews potential threats and vulnerabilities.
    • Findings are tracked to ensure timely mitigation.
  2. Incident Response Plan
    • Security incidents, including unauthorised access or data breaches, are documented and escalated according to a detailed incident response runbook.
    • We notify Amazon (security@amazon.com) within 24 hours of detecting any incident involving Amazon Information and take all necessary remediation steps.

5. Privacy and Data Handling

  1. Data Usage
    • Plusranger only processes Amazon Information to fulfil orders, generate VAT invoices, or meet legal requirements such as tax and regulatory obligations.
    • Data is never sold or shared beyond Plusranger or Amazon without explicit permission and legal necessity.
  2. Policy and Compliance
    • We maintain a public-facing Privacy Policy at https://www.plusranger.co.uk/privacy outlining how data is collected, used, stored, and disposed of.
    • Internal reviews and audits ensure continued adherence to the Amazon Services API Developer Agreement, the Data Protection Policy, and our legal obligations.

6. Disposal and Deletion

  • When Amazon Information is no longer required (or upon Amazon’s request), Plusranger permanently and securely deletes or destroys it.
  • Evidence of secure deletion can be provided to Amazon upon request.

7. Contact and Updates

For any questions regarding Plusranger’s Data Protection Policy or to report concerns, please contact our Data Protection Officer (DPO) at:

We regularly review and update this Policy to remain compliant with Amazon’s requirements and evolving data protection standards. By using Plusranger’s services, you acknowledge our commitment to these principles and agree to the practices set forth in this Policy.