Data Protection

UnifiedArk (unifiedark.com) is operated by Unified Retail Services Ltd, a company registered in the United Kingdom. We are committed to the highest standards of data protection and privacy when handling Amazon Selling Partner data accessed through the Amazon Selling Partner API (SP-API).

This Data Protection page outlines how we process, secure, and govern data in full compliance with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP). Every aspect of our data handling practices is designed to protect the confidentiality, integrity, and availability of your Amazon Selling Partner data.

By authorizing UnifiedArk to access your Amazon Selling Partner account via SP-API, you acknowledge that your data will be processed in accordance with this policy, the terms of your SP-API authorization, and all applicable Amazon policies.

Under applicable data protection legislation and Amazon's policies, the roles and responsibilities for data processing are clearly defined:

• Data Controller: You, the Amazon seller who authorizes UnifiedArk via SP-API, are the data controller. You determine the purposes for which your Amazon Selling Partner data is processed and retain full ownership and control of your data at all times.
• Data Processor: Unified Retail Services Ltd acts solely as a data processor. We process your Amazon Selling Partner data only on your behalf, in accordance with your instructions, and strictly within the scope of the SP-API authorization you have granted.

Amazon data accessed via SP-API is processed solely on behalf of the authorizing user. We do not process Amazon Selling Partner data for our own independent purposes, nor do we claim any ownership rights over your data. Our role is limited to providing the services you have authorized and requested through UnifiedArk.

UnifiedArk maintains strict compliance with Amazon's Data Protection Policy (DPP) and Acceptable Use Policy (AUP). Our data governance practices ensure that all Amazon Selling Partner data is handled responsibly and in full alignment with Amazon's requirements:

• Authorized purposes only: Data is accessed and processed exclusively for the purposes defined by your SP-API authorization. We do not use your data for any purpose beyond what you have explicitly authorized.
• No cross-selling or unauthorized use: We do not use Amazon Selling Partner data to cross-sell services, solicit your customers, or engage in any unauthorized commercial activity. Your data is used solely to deliver the UnifiedArk services you have requested.
• No sharing with or selling to third parties: Amazon Selling Partner data is never shared with, sold to, licensed to, or otherwise disclosed to any third party. Your data remains strictly confidential and is accessible only within the scope of our service delivery to you.
• No cross-seller aggregation: We do not aggregate, combine, or correlate data across multiple Amazon sellers. Each seller's data is logically isolated and processed independently. There is no commingling of data between different seller accounts.
• No use with non-Amazon resources: Amazon Selling Partner data is not used in conjunction with non-Amazon data sources, platforms, or marketplaces. All processing is strictly limited to the Amazon ecosystem and the services you have authorized within UnifiedArk.
• Acceptable Use Policy compliance: We adhere to all provisions of Amazon's Acceptable Use Policy, including restrictions on data usage, storage, and retention. Our systems and processes are regularly reviewed to ensure ongoing compliance with Amazon's evolving requirements.

Unified Retail Services Ltd implements robust technical and organizational security measures to protect Amazon Selling Partner data against unauthorized access, disclosure, alteration, or destruction:

• Encryption in transit: All data transmitted between your browser, our servers, and Amazon's APIs is encrypted using TLS 1.2 or higher. We enforce strict transport security to ensure that data cannot be intercepted during transmission.
• Encryption at rest: All stored Amazon Selling Partner data is encrypted using AES-256 encryption. Encryption keys are managed through secure key management services with automatic key rotation.
• Infrastructure: All data is hosted on Amazon Web Services (AWS) within the EU region (eu-west-2, London). Our infrastructure is designed to meet the highest security and compliance standards, leveraging AWS's security certifications including ISO 27001, SOC 2, and GDPR compliance frameworks.
• Access control: We enforce role-based access control (RBAC) with the principle of least privilege. Only personnel who require access to perform their designated duties are granted access to systems containing Amazon Selling Partner data.
• Multi-factor authentication: All internal systems and administrative access require multi-factor authentication (MFA). This ensures that compromised credentials alone cannot grant access to sensitive data.
• Real-time monitoring: Our infrastructure is continuously monitored with real-time security alerting. Anomalous activity, unauthorized access attempts, and potential threats are detected and responded to promptly.
• Audit logging: All access to Amazon Selling Partner data is comprehensively logged. Audit logs capture who accessed what data, when, and from where. These logs are retained securely and are available for compliance review and incident investigation.

Access to Amazon Selling Partner data within UnifiedArk is governed by strict access control policies designed to minimize exposure and maintain data confidentiality:

• Role-based access control (RBAC): Access permissions are assigned based on job function and role. Each team member is granted only the minimum level of access necessary to perform their specific duties.
• Least privilege principle: We follow the principle of least privilege across all systems. Access is granted on a need-to-know basis, and elevated permissions require explicit approval and justification.
• Restricted Amazon data access: Access to Amazon Selling Partner data is restricted exclusively to authorized personnel who have a legitimate operational need. No unauthorized staff, contractors, or external parties can access your Amazon data.
• Regular access reviews: Access permissions are reviewed on a regular basis to ensure they remain appropriate. Accounts that are no longer needed or personnel who have changed roles have their access promptly revoked or adjusted.
• Audit trail: Every access event is logged in our audit system, providing a complete and tamper-evident trail of all interactions with Amazon Selling Partner data. These records support compliance verification and security investigations.

UnifiedArk uses a minimal number of sub-processors, and we are fully transparent about who has access to data within our infrastructure:

• Amazon Web Services (AWS): AWS provides our cloud infrastructure, including data storage, compute resources, and networking. All AWS services are deployed within the EU region (eu-west-2, London). AWS acts as a sub-processor for infrastructure services only and processes data in accordance with the AWS Data Processing Addendum.

No other sub-processors have access to Amazon Selling Partner data. Should we ever need to engage an additional sub-processor that would handle Amazon Selling Partner data, we will update this page and notify affected users in advance. Any new sub-processor would be subject to rigorous due diligence and contractual data protection obligations.

Unified Retail Services Ltd maintains a comprehensive security incident response plan to address any potential data security events promptly and effectively:

• Detection and assessment: Our monitoring systems are designed to detect potential security incidents in real time. Upon detection, incidents are immediately assessed for severity, scope, and potential impact on Amazon Selling Partner data.
• Notification within 72 hours: In the event of a confirmed data breach affecting Amazon Selling Partner data, we will notify affected users and Amazon within 72 hours of confirmation. Notifications will include details of the incident, the data affected, and the measures being taken in response.
• Containment and remediation: Immediate steps are taken to contain any incident and prevent further exposure. Following containment, a thorough remediation process is undertaken to address the root cause and prevent recurrence.
• Root cause analysis: Every security incident is subject to a detailed root cause analysis. Findings are documented and used to strengthen our security posture and update our incident response procedures as necessary.
• Cooperation: We fully cooperate with Amazon and affected users during and after any security incident. This includes providing requested information, supporting investigations, and implementing any required corrective actions.

UnifiedArk follows strict data deletion practices to ensure that Amazon Selling Partner data is not retained beyond its necessary lifecycle:

• Authorization revocation: If you revoke your SP-API authorization for UnifiedArk, all Amazon Selling Partner data associated with your account will be permanently deleted within 30 days of revocation.
• Account termination: Upon termination of your UnifiedArk account, all Amazon Selling Partner data will be permanently deleted within 30 days. This applies regardless of the reason for termination.
• Complete and irrecoverable deletion: Deletion of Amazon Selling Partner data is complete and irrecoverable. Data is purged from all primary storage systems, backups, and caches. Once deleted, the data cannot be restored.
• On-demand deletion: You may request deletion of your Amazon Selling Partner data at any time by contacting us at privacy@unifiedark.com. We will process your deletion request promptly and confirm completion within 30 days.

Under applicable data protection legislation, including the UK GDPR and the Data Protection Act 2018, data subjects have certain rights regarding their personal data. UnifiedArk is committed to facilitating the exercise of these rights:

• Right of access: You have the right to request a copy of the personal data we hold about you, including any Amazon Selling Partner data processed on your behalf.
• Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
• Right to erasure: You have the right to request the deletion of your personal data, subject to any legal obligations that require us to retain certain information.
• Right to restriction of processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while a dispute about accuracy is being resolved.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that we transmit that data to another controller where technically feasible.

To exercise any of these rights, please contact us at privacy@unifiedark.com. We will respond to your request within 30 days in accordance with applicable data protection legislation.

If you require a formal Data Processing Agreement (DPA), have questions about our data protection practices, or wish to make a request relating to your Amazon Selling Partner data, please contact us using the details below:

• DPA requests: dpa@unifiedark.com
• Privacy enquiries: privacy@unifiedark.com
• Postal address:
  Unified Retail Services Ltd
  Data Protection Officer
  United Kingdom

We aim to respond to all data protection enquiries within 30 days. For urgent matters relating to security incidents, please include "URGENT" in your email subject line and we will prioritize your request.