Paz Click Media takes your privacy seriously and we recognize that it is our responsibility to protect your information. As part of this privacy policy, we let you know what information we collect when you use our services, why we collect it and how we use it to improve your experience. Your information will never be used for any purposes than to enhance your online advertising goals.
The information we collect through contact forms at http://www.pazclickmedia.com is used for internal purposes only and is not disseminated or sold to third parties. By submitting your contact information at www.pazclickmedia.com you are acknowledging that your information may be added to our email lists and you can opt out of these emails at any time via the link found at the bottom of each email.
Your privacy is very important to us and we strive to keep your information safe.
INFORMATION MANAGEMENT AND SECURITY
All Paz Publishing LLC (Paz Click Media) employees are responsible for safeguarding individual customer communications and information. Our company requires personnel to be aware of and protect the privacy of all forms of customer communications — whether they are voice, data or image transmissions — as well as individual customer records. Paz Publishing LLC (Paz Click Media) makes clear that employees who fail to follow this Privacy and Customer Security Policy will face disciplinary action, which can include dismissal. All employees are trained regarding their responsibilities to safeguard customer privacy.
Paz Publishing LLC (Paz Click Media) strives to ensure that information we have about our customers is accurate, secure and confidential, and to ensure that our employees comply with our privacy policy. We will not tamper with, intrude upon or disclose the existence or contents of any communication or transmission, except as required by law or the proper management of our network. Access to databases containing customer information is limited to employees who need it as part of their job performance — and such employees follow strict guidelines when handling such information. Paz Publishing LLC (Paz Click Media) uses safeguards to increase data accuracy and to identify and authenticate the sources of customer information. We use locks and physical security measures, sign-on and password control procedures, internal auditing techniques and other types of security as appropriate for the information stored to protect against unauthorized use of terminals and entry into our data systems.
Our company requires that records be safeguarded from loss, theft, unauthorized disclosure, and accidental destruction. In addition, sensitive, confidential, or proprietary records must be protected and maintained in a secure environment. It is our policy to destroy records containing sensitive, confidential, or proprietary information in a secure manner. Hard copy confidential, proprietary, or sensitive documents must be made unreadable before disposition or recycling, and electronic media must be destroyed using methods that prevent access to information stored in that type of media. Just as employees would report stolen property, employees must report missing records and suspicious incidents involving records.
We encourage our employees to be proactive in implementing and enforcing the company Privacy and Customer Security Policy. If employees become aware of practices that raise privacy concerns, they are encouraged to report them to their supervisors as soon as reasonably possible.
Paz Click Media Follows Amazon’s Data Protection Policy and Acceptable Use Policy As Outlined Below
Data Protection Policy
The Data Protection Policy (“DPP”) governs the receipt, storage, usage, transfer, and disposal of Information, including the data vended and retrieved through the Amazon Services API (including the Marketplace Web Service API). This policy is applicable to all systems that store, process, or otherwise handle data vended and retrieved from the Amazon Services API. This Policy supplements the Amazon Services API Developer Agreement and the Acceptable Use Policy. Failure to comply with this DPP may result in suspension or termination of Amazon Services API access in accordance with the Amazon Services API Developer Agreement.
1. General Security Requirements
Consistent with industry-leading security, Developers will maintain physical, administrative, and technical safeguards, and other security measures (i) to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted by a Developer, and (ii) to protect that Information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, the Developer will comply with the following requirements:
1.1 Network Protection. Developers must implement network protection controls including network firewalls and network access control lists to deny access to unauthorized IP addresses. Developers must implement network segmentation, intrusion detection and prevention mechanisms (including defence in depth methods to complement a firewall’s rulesets, and using IDS and/or IPS signature pattern-based mechanisms to identify and prevent malicious behaviour transiting the network), and anti-virus and anti-malware tools periodically (at least monthly). Developers must restrict systems access only to approved internal employees who have coding and development responsibilities, and who have previously completed data protection and IT security awareness trainings (“Approved Users”). Developers must maintain secure coding practices, and conduct data protection and IT security awareness trainings for Approved Users on at least an annual basis.
1.2 Access Management. Developers must establish a formal user access registration process to assign access rights for all user types and services by ensuring that a unique ID is assigned to each person with computer access to Information. Developers must not create or use generic, shared, or default login credentials or user accounts and prevent user accounts from being shared. Developers must implement baselining mechanisms to ensure that at all times only the required user accounts access Information. Developers must restrict employees and contractors from storing Information on personal devices. Developers will maintain and enforce “account lockout” by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Information. Developers must review the list of people and services with access to Information at least quarterly. Developers must ensure that access is disabled and/or removed within 24 hours for terminated employees.
1.3 Least Privilege Principle. Developers must implement fine-grained access control mechanisms to allow granting rights to any party using the Application and the Application’s authorized operators following the principle of least privilege. Access to Information must be granted on a “need-to-know” basis.
1.4 Credential Management. Developers must establish minimum password requirements for personnel and systems with access to Information. Password requirements must be a minimum of twelve (12) characters, not include any part of the user’s name, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each. Developers must establish a minimum password age of 1-day and a maximum 365-day password expiration for all users. Developers must ensure that Multi-Factor Authentication (MFA) is required for all user accounts. Developers must ensure that API keys provided by Amazon are encrypted and only required employees have access to them.
1.5 Encryption in Transit. Developers must encrypt all Information in transit with secure protocols such as TLS 1.2+, SFTP, and SSH-2. Developers must enforce this security control on all applicable internal and external endpoints. Developers must use data message-level encryption where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
1.6 Risk Management and Incident Response Plan. Developers must have a risk assessment and management process that is reviewed by the Developer’s senior management annually, which includes, but is not limited to, assessment of potential threats and vulnerabilities as well as likelihood and impact in order to track known risks. Developers must create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans must identify the incident response roles and responsibilities, define incident types that may affect Amazon, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to Amazon. Developers must review and verify the plan every six (6) months and after any major infrastructure or system change, including changes to the system, controls, operational environments, risk levels, and supply chain. Developers must notify Amazon (via email to security@amazon.com) within 24 hours of detecting a Security Incident. It is the Developer’s sole responsibility to inform relevant government or regulatory agencies as required by applicable local laws. Developers must investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence. Developers must maintain the chain of custody for all evidences or records collected, and such documentation must be made available to Amazon upon request (if applicable). If a Security Incident has occurred, Developers cannot represent or speak on behalf of Amazon to any regulatory authority or customers unless Amazon specifically requests in writing that the Developer do so.
1.7 Request for Deletion. Developers must permanently and securely delete Information upon and in accordance with Amazon’s notice requiring deletion within 30 days of Amazon’s requests unless the data is necessary to meet legal requirements, including tax or regulatory requirements. Secure deletion must occur in accordance with industry-standard sanitization processes such as NIST 800-88. Developers must also permanently and securely delete all live (online or network accessible) instances of Information 90 days after Amazon’s notice. If requested by Amazon, the Developer will certify in writing that all Information has been securely destroyed.
1.8 Data Attribution. Developers must store Information in a separate database or implement a mechanism to tag and identify the origin of all data in any database that contains Information.
2. Additional Security Requirements Specific to Personally Identifiable Information
The following additional Security Requirements must be met for Personally Identifiable Information (“PII”). PII is granted to Developers for select tax and merchant fulfilled shipping purposes, on a must-have basis. If an Amazon Services API contains PII, or PII is combined with non-PII, then the entire data store must comply with the following requirements:
2.1 Data Retention. Developers will retain PII for no longer than 30 days after order delivery and only for the purpose of, and as long as is necessary to (i) fulfill orders, (ii) calculate and remit taxes, (iii) produce tax invoices and other legally required documents, and (iv) meet legal requirements, including tax or regulatory requirements. Developers may retain data for over 30 days after order delivery only if required by law and only for the purposes of complying with that law. Per sections 1.5 (“Encryption in Transit”) and 2.4 (”Encryption at Rest”) at no point should PII be transmitted or stored unprotected.
2.2 Data Governance. Developers must create, document, and abide by a privacy and data handling and classification of policy for their Applications or services, which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII should be maintained to establish accountability and compliance with regulations. Developers must establish a process to detect and comply with privacy and security laws and regulatory requirements applicable to their business and retain documented evidence of their compliance. Developers must establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their information where applicable or required by data privacy regulation. Developers must have technical and organizational processes and systems in place for assisting Authorized Users with data subject access requests. Developers must include contractual provisions in employment contracts with employees that process PII to maintain confidentiality of PII.
2.3 Asset Management. Developers must maintain baseline standard configuration for information systems and install patches, updates, defect fixes, and upgrades on a regular basis. Developers must maintain, and update quarterly, an accurate inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, which should include all devices in the Developer’s environment along with the status of maintenance of each device to ensure compliance against the baseline. Developers must maintain a change management process for all information systems, such that software and hardware with access to PII are tested, verified, and approved, with a segregation of duties between change approvers and those testing the changes before implementation. Physical assets that store, process, or otherwise handle PII must abide by all of the requirements set forth in this policy. Developers must not store PII in removable media, personal devices, or unsecured public cloud applications (e.g., public links made available through Google Drive) unless it is encrypted using at least AES-128 or RSA-2048 bit keys or higher. Developers must securely dispose of any printed documents containing PII. Developers must implement data loss prevention (DLP) controls in place to monitor and detect unauthorized movement of data.
2.4 Encryption at Rest. Developers must encrypt all PII at rest using at least AES-128 or RSA with 2048-bit key size or higher. The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities (e.g. daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs) used for encryption of PII at rest must be only accessible to the Developer’s processes and services.
2.5 Secure Coding Practices. Developers must not hardcode sensitive credentials in their code, including encryption keys, secret access keys, or passwords. Sensitive credentials must not be exposed in public code repositories. Developers must maintain separate test and production environments.
2.6 Logging and Monitoring. Developers must gather logs to detect security-related events to their Applications and systems including success or failure of the event, date and time, access attempts, data changes, and system errors. Developers must implement this logging mechanism on all channels (e.g., service APIs, storage-layer APIs, administrative dashboards) providing access to Information. Developers must review logs in real-time (e.g. SIEM tool) or on a bi-weekly basis. All logs must have access controls to prevent any unauthorized access and tampering throughout their lifecycle. Logs must not contain PII unless the PII is necessary to meet legal requirements, including tax or regulatory requirements. Unless otherwise required by applicable law, logs must be retained for at least 90 days for reference in the case of a Security Incident. Developers must build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g., multiple unauthorized calls, unexpected request rate and data retrieval volume, and access to canary data records). Developers must implement monitoring alarms and processes to detect if Information is extracted from or can be found beyond its protected boundaries. Developers should perform an investigation when monitoring alarms are triggered, and this should be documented in the Developer’s Incident Response Plan.
2.7 Vulnerability Management. Developers must create and maintain a plan and/or runbook to detect and remediate vulnerabilities. Developers must protect physical hardware containing PII from technical vulnerabilities by performing vulnerability scans and remediating appropriately. Developers must conduct vulnerability scanning at least every 180 days, penetration tests at least every 365 days, and scan code for vulnerabilities prior to each release. Developers must have appropriate procedures and plans to restore availability and access to PII in a timely manner in the event of a physical or technical incident.
3. Audit and Assessment
Developers must maintain all appropriate books and records reasonably required to verify compliance with the Acceptable Use Policy, this DPP, and Amazon Services API Developer Agreement during the period of this agreement and for 12 months thereafter. Upon Amazon’s written request, Developers must certify in writing to Amazon that they are in compliance with these policies.
Upon reasonable request, Amazon may, or may have an independent certified public accounting firm selected by Amazon, audit, assess and inspect the books, records, facilities, operations, and security of all systems that are involved with a Developer’s Application in the retrieval, storage, or processing of Information. Amazon, its Affiliates, agents, representatives, contractors or subcontractors will keep confidential any non-public information disclosed by a Developer as part of this audit, assessment, or inspection that is designated as confidential or that, given the nature of the information or the circumstances surrounding its disclosure, reasonably should be considered confidential. Developers must cooperate with Amazon or Amazon’s auditor in connection with the audit or assessment, which may occur at the Developer’s facilities and/or subcontractor facilities. If the audit or assessment reveals deficiencies, breaches, and/or failures to comply with our terms, conditions, or policies, the Developer must, at its sole cost and expense, take all actions reasonably necessary to remediate those deficiencies within an agreed-upon time frame. Upon request, the Developer must provide remediation evidence in the form requested by Amazon (which may include policy, documents, screenshots, or screen sharing of application or infrastructure changes) and obtain written approval on submitted evidence from Amazon before audit closure.
4. Definitions
“Affiliate” means, with respect to any entity, any other entity that directly or indirectly controls, is controlled by, or is under common control with that entity.
“Amazon Services API” means any application programming interface (API) offered by Amazon for the purpose of helping Amazon Authorized Users to programmatically exchange data.
“API Materials” means Materials we make available in connection with the Amazon Services API, including APIs, documentation, specifications, software libraries, software development kits, and other supporting materials, regardless of format.
“Application” means a software application or website that interfaces with the Amazon Services API or the API Materials.
“Authorized User” means a user of Amazon’s systems or services who has been specifically authorized by Amazon to use the applicable systems or services.
“Content” means copyrightable works under applicable law and content protected under applicable law.
“Customer” means any person or entity who has purchased items or services from Amazon’s public-facing websites.
“Developer” means any person or entity (including you, if applicable) that uses the Amazon Services API or the API Materials for a Permitted Use on behalf of an Authorized User.
“Information” means any information that is exposed through the Amazon Services API, Amazon Portals, or Amazon’s public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon Customers.
“Materials” means software, data, text, audio, video, images, or other Content.
“Personally Identifiable Information” (“PII”) means information that can be used on its own or with other information to identify, contact, identify in context, or locate an Amazon Customer or Authorized User. This includes, but is not limited to, a Customer or Authorized User’s name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, postal code, or Internet-connected device product identifier.
“Security Incident” means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Information, or breach of any environment containing Information.
Acceptable Use Policy
The Acceptable Use Policy (“AUP”) clarifies the appropriate use of the Amazon Services API (including the Marketplace Web Service API). In addition to the Amazon Services API Developer Agreement and the Data Protection Policy (“DPP”), Developers must comply with this AUP. Failure to comply with this AUP may result in suspension or termination of Amazon Services API access in accordance with the Amazon Services API Developer Agreement.
1. Perform acceptable Amazon activities
The Amazon Services API is for Developers who wish to help Authorized Users build, manage and grow successful businesses in Amazon’s store and/or participate in any Amazon Services.
1.1 Use the Amazon Services API only to perform acceptable Amazon activities, and only for Authorized Users who have authorized you to perform these activities on their behalf.
1.2 Do not facilitate or promote violation of any agreement between Authorized Users and Amazon (such as the Amazon Services Business Solutions Agreement), directly or indirectly.
1.3 If you suspect that an Authorized User is using your service to violate their agreement with Amazon, notify Amazon (spapi-abuse@amazon.com) and block the Authorized User’s access to your Application.
1.4 Comply with Amazon policies that pertain to specific APIs or functionality that your Application provides.
2. Provide quality applications and services
Transparency
2.1 Do not falsely advertise your Application or service.
2.2 Be clear and honest with Authorized Users about what data you are accessing and for what purpose.
2.3 Do not attempt to deceive Authorized Users through the deliberate modification of Information.
2.4 Be explicit about any calculations and the use of models such as artificial intelligence in the service you provide, their accuracy and data freshness.
Compliance
2.5 Comply with all applicable laws including data privacy and data protection laws (e.g. GDPR, Cybersecurity Law of the People’s Republic of China).
2.6 Do not offer Applications or services that infringe on the intellectual property of others.
Quality and performance
2.7 Provide the Application availability, performance and support required to perform the business task.
2.8 Identify and mitigate any negative Authorized User impact before launching new features, especially for business-critical tasks.
2.9 Design your Application to respect per-Authorized User throttling quotas, and monitor and minimize client-side errors.
2.10 Implement data integrity and validation checks within your Application for any analytical processing (e.g. AI models for insights, automated decision-making) that has material impact on an Authorized User’s business.
3. Keep data secure
Account access
3.1 Never share access keys or passwords.
3.2 Never request or accept an Authorized User’s or another Developer’s access keys for any purpose.
3.3 Do not request or share Amazon Portal usernames or passwords from Authorized Users.
3.4 Only act on behalf of Authorized Users that have granted you permission through third-party authorization.
3.5 Do not apply for access keys that you will not use. Amazon will baseline access keys every 90 days. Access keys that do not make a successful call in 90 days will be deleted and the Developer will need to re-apply for access keys.
3.6 Do not ask Authorized Users to share information retrieved from Amazon Portals manually or programmatically to circumvent Amazon policies.
3.7 If Amazon Portal access is required to provide features or services that benefit Authorized Users, ask the Authorized User to grant access through secondary user permissions.
Data access
3.8 Do not request access to or retrieve Information that is not necessary for your Application’s functionality.
3.9 Only grant access to data on a “need-to-know” basis within your organization, to any individual employed or contracted by your organization and among your Application users.
3.10 Do not attempt to circumvent throttling quotas through the creation of multiple Developer accounts within the same region.
3.11 Inform Amazon SP-API Developer Support at https://developer.amazonservices.com/support within 30 days of any organizational changes or events that change your organization’s need for or use of Information (such as a merger, acquisition, other transfer in business ownership or material change in your organization’s product or service offerings). Maintain a written policy to this effect.
3.12 Disclose to Amazon about affiliated entities involved in your Application or service when requesting additional roles.
3.13 Comply with the Data Protection Policy (“DPP”), which provides specific requirements on the receipt, storage, usage, transfer and disposition of Information.
4. Use data for acceptable purposes
Data Usage
4.1 Do not use Personally Identifiable Information about Customers for any purposes other than merchant fulfilled shipping or to meet legal requirements, including tax and regulatory requirements. You must document with Authorized Users any requirement to process Personally Identifiable Information.
4.2 Do not target Amazon Customers for product marketing or review fabrication and modification using data retrieved through the Amazon Services API or any external (non-Amazon) data services.
4.3 Do not use, offer or promote external (non-Amazon) data services that vend information or data retrieved from Amazon’s websites.
4.4 Do not aggregate data across Authorized Users’ businesses or customers obtained through the Amazon Services API to provide or sell to any parties, including competing Authorized Users.
4.5 Do not promote, publish or share insights about Amazon’s business. Do not use insights about Amazon’s business for your own business purposes.
Data sharing
4.6 Do not disclose Information, individually labelled or aggregated, to other Application users, affiliated entities or any outside parties, unless required to perform acceptable Authorized User activities for Authorized Users that authorized your Application.
4.7 Perform due diligence on the data security measures and policies of any parties with whom you share data and only share data with parties that have data security standards at least as strict as your own.
4.8 As required under applicable law, Developers transferring PII must have contractual provisions in place to provide a suitable legal basis for such transfers.
4.9 Be transparent with Authorized Users about what data you share, with whom and for what purposes.
5. API-specific policies
5.1 If you support Buyer-Seller Messaging using the Buyer-Seller Messaging Service, you must comply with the Communication Guidelines and applicable Program policies.
5.2 If you are using the Buyer-Seller Messaging Service, you must also support Amazon-approved templates through integration with the Messaging and Solicitations API.
5.3 If you are using the Merchant Fulfillment API, you must comply with the Merchant Fulfillment API Service Terms.
5.4 If you are using the Amazon Freight Services API, you must comply with the Amazon Freight Services API Terms (US only).
5.5 If you are using the Amazon Business API, you must comply with the terms of the Technology Integration Agreement and its Addenda, or the Amazon Business Account Terms and Conditions, as applicable.
| Amazon Business Store |
| Amazon Business Canada: Amazon Business Account Terms and Conditions |
| Amazon Business France: Amazon Business Account Terms and Conditions |
| Amazon Business Germany: Amazon Business Account Terms and Conditions |
| Amazon Business Italy: Amazon Business Account Terms and Conditions |
| Amazon Business Japan: Amazon Business Account Terms and Conditions |
| Amazon Business Spain: Amazon Business Account Terms and Conditions |
| Amazon Business UK: Amazon Business Account Terms and Conditions |
| Amazon Business US: Amazon Business Account Terms and Conditions |
| Amazon Business India: Amazon Business Account Terms and Conditions |
5.6 If you are using the Page View Report, you must comply with the Page View Report Terms and Conditions (EU only).
5.7 If you are using the End User Data Report, you must comply with the End User Data Report Terms and Conditions (EU only).
6. Definitions
“Amazon Services” means services provided or operated by Amazon.
“Amazon Services API” means any application programming interface (API) offered by Amazon for the purpose of helping Amazon Authorized Users to programmatically exchange data.
“Amazon Portal” means any Amazon website used by Authorized Users or others in a business relationship with Amazon to manage their participation in Amazon Selling Partner Services or other services provided by Amazon. This includes Seller Central and Vendor Central.
“API Materials” means Materials we make available in connection with the Amazon Services API, including APIs, documentation, specifications, software libraries, software development kits, and other supporting materials, regardless of format.
“Application” means a software application or website that interfaces with the Amazon Services API or the API Materials.
“Authorized User” means a user of Amazon’s systems or services who has been specifically authorized by Amazon to use the applicable systems or services.
“Content” means copyrightable works under applicable law and content protected under applicable law.
“Customer” means any person or entity who has purchased items or services from Amazon’s public-facing websites.
“Developer” means any person or entity (including you, if applicable) that uses the Amazon Services API or the API Materials for a Permitted Use on behalf of an Authorized User.
“Information” means any information that is exposed through the Amazon Services API, Amazon Portals or Amazon’s public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon customers.
“Materials” means software, data, text, audio, video, images, or other Content.
“Personally Identifiable Information” (“PII”) means information that can be used on its own or with other information to identify, contact or locate an individual (e.g., Customer or Authorized User), or to identify an individual in context. This includes, but is not limited to, a Customer or Authorized User’s name, address, email address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g. browser, user device), IP Address, geo-location or Internet-connected device product identifier.
Paz Click Media 