Compliance

Data Protection Policy Statement

How AIAdKing complies with the Amazon Selling Partner API Data Protection Policy. This statement supplements our Privacy Policy and Security pages.

Last updated: May 13, 2026

1. Scope

"Amazon Information" means any information sourced from Amazon, including Personally Identifiable Information ("PII") of Amazon customers, order data, listing data and seller data, accessed through SP-API or the Amazon Advertising API.

2. Permitted use

AIAdKing accesses Amazon Information only to provide features the Selling Partner has explicitly enabled. PII is accessed only for, and only to the extent necessary for, fulfilling Selling Partners' orders, tax compliance and other obligations expressly permitted by the DPP. PII is never used for advertising or marketing to buyers, never sold, and never disclosed except as required by law.

3. Encryption

  • In transit: TLS 1.2 or higher for every connection.
  • At rest: AES-256 for all databases, backups and object storage containing Amazon Information.
  • Key management: Keys managed by our cloud provider's KMS with rotation and access logging.

4. Access control

  • MFA enforced on all internal accounts.
  • Role-based access control; production access on a need-to-know, time-boxed basis.
  • All access to Amazon Information is logged and reviewed.
  • Credentials are never shared or stored in source control.

5. Network and application security

  • Web application firewall on all public endpoints.
  • Continuous dependency vulnerability scanning; patches on a defined SLA.
  • Static and dynamic application security testing in CI/CD.
  • Annual penetration testing once the product is generally available.

6. Logging and monitoring

Application, infrastructure and audit logs are centralised, time-synchronised, immutable, retained for at least 90 days, and reviewed for anomalies. Logs do not contain PII.

7. Data retention and deletion

PII received from SP-API is retained no longer than 30 days after order fulfilment, unless a longer period is required by tax or legal obligations. On Selling Partner request, deauthorisation, or termination, we delete all Amazon Information from production systems within 30 days and from backups within 90 days.

8. Sub-processors

We disclose all sub-processors that may process Amazon Information in our Data Processing Addendum, available on request. Each sub-processor is bound by contractual confidentiality and data-protection obligations equivalent to those in the DPP.

9. Incident response

We maintain a written Incident Response Plan tested at least annually. In the event of a Security Incident affecting Amazon Information, we will notify Amazon at security@amazon.com within 24 hours of confirmation, investigate, mitigate and provide a written post-incident report. Affected Selling Partners will be notified without undue delay.

10. Employee obligations

All AIAdKing personnel sign confidentiality agreements, complete annual security and privacy training, and are bound by written information-security policies. Access is revoked promptly on role change or departure.

11. Compliance and audits

AIAdKing maintains internal compliance reviews and is prepared to make available, on request, the evidence required by the SP-API Data Protection Policy.

12. Contact

Security: security@aiadking.com · Privacy: privacy@aiadking.com