Menu
247 Commerce
Menu
247 Commerce

Privacy Policy

  • Author:247Commerce
  • Published by:30 November 2023

Acceptable Use Policy of our Amazon App

This section explains how 247 Commerce Ltd (“we”, “us”, “our”) ensures our Amazon-integrated application (“247 Cloudhub – App”) is used in accordance with Amazon’s Acceptable Use Policy and related Selling Partner API agreements.

1. Our Commitment to Amazon Compliance

We operate the App in strict alignment with the Amazon Selling Partner API Acceptable Use Policy (AUP). Our platform only accesses Amazon data when explicitly authorised by you (the Seller) through secure authentication processes. All functions within the App are designed to support legitimate business activities on Amazon and comply with applicable Amazon agreements, laws, and regulations.

2. Permitted Uses of Amazon Information

We access and process Amazon data solely for the purpose of providing you with the features you have subscribed to, including but not limited to:

  • Creating and managing product listings
  • Updating pricing and stock levels
  • Processing orders (including FBA and refunds)
  • Generating invoices and shipping labels
  • Providing performance, tax, and accounting reports

We never use Amazon data for unauthorised marketing, resale, profiling, or analytics unrelated to your Amazon account.

3. Prohibited Activities

When using our App, you agree not to:

  • Use Amazon data for any purpose not authorised by the Seller or Amazon
  • Circumvent or interfere with Amazon’s security measures or technical restrictions
  • Store or transmit Amazon data to unauthorised third parties
  • Use the App to engage in any activity that could lead to a breach of Amazon’s Selling Partner Terms, policies, or applicable law

4. Data Sharing – Outside Parties & Data Sharing Methodology

We only share Amazon Information with third-party courier and logistics partners for the exclusive purpose of order fulfilment.

  • What is shared: We transmit only the essential customer data needed to create shipping labels and facilitate delivery—specifically, the customer’s name, delivery address, and contact phone number.
  • How it is shared:
    • Via secure API integrations using encrypted HTTPS/TLS channels.
    • Or through encrypted file transfers (e.g., SFTP over TLS/SSL) where API delivery isn’t feasible.
  • Security & Access Controls:
    • All data transmissions are logged for audit and compliance purposes.
    • Access to courier interfaces is strictly role-based, ensuring only authorised system components and minimal personnel can initiate data sharing.
  • Data Handling Obligations:
    • Our courier partners are contractually obligated to process Amazon Information solely for delivery purposes.
    • They must adhere to applicable data protection laws and maintain confidentiality of the information shared.

No other Amazon Information—such as purchase history, pricing data, or seller account details—is shared with these external parties. This ensures tight compliance with Amazon’s Acceptable Use Policy and Data Protection standards.

5. Security and Data Handling

We protect Amazon data through:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls ensuring least-privilege access
  • Audit logging and monitoring of all API transactions
  • Regular vulnerability scans, penetration tests, and code reviews
  • Retention limits: Amazon PII is deleted from our systems within 28 days of order dispatch

6. Enforcement and Amazon’s Rights

We recognise that Amazon may suspend or terminate our API access if we, or our users, violate the AUP or other applicable agreements. We maintain processes to:

  • Investigate and remediate potential breaches
  • Notify Amazon’s Security team at security@amazon.com where required
  • Take immediate corrective action, including suspending access for offending accounts

7. Your Responsibilities as a User

By using our App, you agree to:

  • Authorise only lawful access to your Amazon account
  • Use the features of the App solely for compliant selling activities
  • Refrain from introducing malicious code, engaging in fraud, or otherwise breaching Amazon’s terms

8. Contact for Compliance Queries

If you have questions regarding our Acceptable Use Policy or our Amazon compliance processes, please contact:

Primary Contact: Susant Patro
Email: 247commerce@247commerce.co.uk
Phone: +44 2045 479292

9. Access Management & Least Privilege Practices

Individual Identification of Personnel (Access Management 1.2)

  • Unique User IDs
    Every staff member accessing Amazon data is assigned a unique organizational identifier—typically based on their company email (e.g., susant.patro@247commerce.co.uk). Shared accounts are strictly prohibited.
  • Authentication & Accountability
    All access is gated through Single Sign-On (SSO) with Multi-Factor Authentication (MFA). This ensures every action is traceable to an individual user.
  • Provisioning Process
    User access is granted only via formal onboarding procedures, handled by the IT or Security team. Each access request is reviewed and approved by designated team leads in accordance with job function.
  • Regular Access Reviews
    We conduct periodic audits (at least monthly) of user access privileges. Any accounts no longer needed are promptly revoked.
  • Offboard Control
    On employee termination or role change, access is immediately disabled. This is logged and reported back to leadership, and accounts are purged or reassigned within 24 hours.

Principle of Least Privilege (1.3)

  • Role-Based Access Control (RBAC)
    We assign access according to defined roles—such as Support, Operations, Engineering—with each role mapping to minimal permissible access rights aligned with responsibilities.
  • Just-In-Time Access
    Special elevated access (e.g., for support tasks or maintenance) is provided via time-limited access requests and logged audits. Elevated permissions expire automatically.
  • Secure Infrastructure
    Access paths to production tools are constrained via secure bastion hosts and protected by network-level controls such as IP whitelisting and MFA.
  • Least-Privileged Tools Integration
    Amazon data is retrieved and displayed through application dashboards or monitoring systems—there’s no broad data export by default. Where exports are necessary, they require explicit secondary approval.
  • Logging & Monitoring
    Every access event, API call, or action related to Amazon data is logged centrally. Alerts are configured for unusual or unauthorised access patterns.

10. Incident Response and Security Incident Notification

We take the security of all customer data, including Amazon Information, extremely seriously and have a formal Incident Response Plan in place.

In the unlikely event of a security incident – such as unauthorised database access, data leak, or system breach – we will:

  1. Detect and Verify
    Continuously monitor our systems for unusual or suspicious activity, investigate alerts, and confirm whether an incident has occurred.
  2. Contain and Mitigate
    Immediately isolate affected systems, suspend unauthorised access, and apply temporary security controls to limit impact.
  3. Notify Amazon Within 24 Hours
    If the incident involves Amazon Information, we will notify Amazon within 24 hours of detection at security@amazon.com, providing details of the incident, affected data, scope, and mitigation steps taken. We will also notify any other affected parties where required by law.
  4. Investigate and Remediate
    Identify the root cause, apply permanent fixes, and improve relevant controls to prevent recurrence.
  5. Post-Incident Review
    Record all actions taken, evaluate our response, and update our policies, procedures, and employee training where necessary.

This process ensures transparency, rapid containment, and compliance with Amazon’s Restricted Data Access Policy and our contractual obligations.

11. Incident Response Plan – Security Incident Handling

Our organisation has a formal Incident Response Plan to address database hacks, unauthorised access, and data leaks involving Amazon Information. The plan follows these key steps:

  1. Detection & Verification
    • Continuous monitoring of systems and logs using automated alerts to identify suspicious activity.
    • Verification of the incident to confirm the nature, scope, and potential impact on Amazon Information.
  2. Containment & Mitigation
    • Immediate isolation of affected systems to prevent further compromise.
    • Implementation of temporary access restrictions and security controls to stop unauthorised activity.
  3. Notification
    • Notify Amazon within 24 hours of detecting any Security Incident by sending an incident report to security@amazon.com.
    • The report will include a description of the incident, affected systems or data, scope of impact, and immediate remediation steps taken.
    • Notify any other affected parties or regulators as required by applicable law.
  4. Investigation & Remediation
    • Perform root cause analysis to determine how the incident occurred.
    • Apply permanent fixes, patch vulnerabilities, and strengthen controls to prevent recurrence.
  5. Post-Incident Review
    • Document the incident and all actions taken.
    • Review and update security policies, procedures, and staff training based on lessons learned.

This approach ensures rapid detection, containment, transparent communication, and compliance with Amazon’s Restricted Data Access Policy requirements.

12. Password Management Practices

Our organisation enforces strict password management policies for all systems that access Amazon Information, in compliance with Amazon’s security requirements:

  1. Length & Complexity
    • Minimum password length: 16 characters.
    • Must contain at least one uppercase letter, one lowercase letter, one number, and one special character.
    • Passwords must not contain dictionary words, user names, or easily guessable patterns.
  2. Expiration & Rotation
    • Passwords expire every 90 days and must be changed to a new, unique password.
    • Users cannot reuse any of their last 10 passwords.
  3. Storage & Transmission
    • Passwords are never stored in plaintext; they are hashed using industry-standard strong hashing algorithms (e.g., bcrypt or SHA-256 with salt).
    • Passwords are never transmitted in clear text and are protected with TLS 1.2+ during authentication.
  4. Multi-Factor Authentication (MFA)
    • MFA is mandatory for all user accounts with access to Amazon Information, adding a second factor beyond the password.
  5. Access Control
    • Access is immediately revoked when an employee changes roles or leaves the organisation.
    • Shared accounts are prohibited — each user has unique credentials for accountability.
  6. Enforcement & Monitoring
    • Automated systems enforce password complexity, rotation, and history rules.
    • Regular security audits verify compliance, and any deviations trigger corrective action.

This approach ensures that all credentials used to access Amazon Information are strong, unique, and well-protected, meeting Amazon’s Credential Management and Restricted Data Access policy requirements.

13. Password Management Enforcement

Our organisation enforces strict password management controls for all personnel and systems with access to Amazon Information:

  1. Minimum Length & Complexity
    • Passwords must be at least 16 characters long.
    • They must include at least one uppercase letter, one lowercase letter, one number, and one special character.
    • Passwords must avoid dictionary words, personal information, or predictable patterns.
  2. Expiration & History
    • Passwords expire every 90 days.
    • Users cannot reuse any of their previous 10 passwords.
  3. MFA Requirement
    • All accounts with access to Amazon Information require Multi-Factor Authentication (MFA) in addition to the password.
  4. Prohibition of Shared Credentials
    • Every user has a unique account and password; shared credentials are prohibited.
  5. Secure Storage & Transmission
    • Passwords are stored only in hashed form using strong industry-standard algorithms (e.g., bcrypt or SHA-256 with salt).
    • Passwords are transmitted only over encrypted channels (TLS 1.2 or higher).
  6. Enforcement & Monitoring
    • Our identity and access management systems automatically enforce complexity, length, expiration, and history requirements.
    • Regular audits verify compliance, and non-compliant accounts are suspended until corrected.

These measures ensure all credentials are strong, unique, and protected, meeting Amazon’s Credential Management requirements.

14. Vulnerability Management and Remediation Timelines

We take a proactive approach to identifying and fixing potential security issues to protect all customer data, including Amazon Information.

How we manage vulnerabilities:

  • We carry out regular vulnerability scans and penetration tests to detect security weaknesses in our systems.
  • All findings are recorded in our secure issue-tracking system, with each one given a severity rating (Critical, High, Medium, Low) based on potential impact and risk.
  • Responsibility for fixing each issue is assigned to the relevant technical team, and progress is tracked until resolution.

Our target remediation timelines:

  • Critical vulnerabilities: fixed within 24–48 hours.
  • High vulnerabilities: fixed within 7 days.
  • Medium vulnerabilities: fixed within 30 days.
  • Low vulnerabilities: fixed within 90 days or at the next planned maintenance cycle.

Verification and closure:

  • Once an issue is resolved, we re-test the affected systems to confirm the fix has been successful.
  • Issues are only marked as closed after successful verification.

Continuous improvement:

  • We review vulnerability management reports regularly to ensure we meet our timelines and improve our security processes over time.

This process ensures that any potential security issues are addressed promptly and effectively, keeping your data safe and our systems resilient.

15. Addressing Code Vulnerabilities in Development and Runtime

Our organisation applies multiple technical controls and secure development practices to prevent, detect, and remediate code vulnerabilities both during the software development lifecycle and at runtime.

1. During Development

  • Static Application Security Testing (SAST): All code is scanned automatically during build pipelines using industry-standard security tools to detect vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure dependencies.
  • Dependency Scanning: Open-source libraries and dependencies are continuously checked against vulnerability databases (e.g. CVE, NVD) and updated to secure versions where risks are identified.
  • Secure Code Reviews: Every code change undergoes peer review by senior developers trained in secure coding standards (OWASP Top 10).
  • Secrets Management: No credentials, API keys, or secrets are stored in code repositories — they are managed securely using AWS Secrets Manager or an encrypted vault.

2. During Runtime

  • Dynamic Application Security Testing (DAST): Applications in staging and production are tested for vulnerabilities under real-world conditions, including penetration testing for authentication flaws and access control weaknesses.
  • Runtime Application Self-Protection (RASP): Where applicable, we use in-app security monitoring to detect and block malicious inputs at runtime.
  • Web Application Firewall (WAF): AWS WAF filters and blocks malicious requests before they reach the application.
  • Real-time Monitoring & Alerts: Application logs are monitored 24/7 for suspicious activity, with automated alerts for abnormal request patterns or access attempts.

3. Remediation Process

  • Critical vulnerabilities: Fixed and deployed within 24–48 hours.
  • High vulnerabilities: Fixed and deployed within 7 days.
  • Medium vulnerabilities: Fixed within 30 days.
  • Low vulnerabilities: Addressed within 90 days or in the next scheduled maintenance cycle.

4. Verification
After remediation, fixes are validated via repeat scans and tests before deployment to production.

This layered approach ensures vulnerabilities are identified early, mitigated quickly, and monitored continuously to protect Amazon Information and customer data.

16. Addressing Code Vulnerabilities in Development and Runtime

We apply a combination of technical controls and secure development practices to detect, prevent, and remediate vulnerabilities during both the software development lifecycle (SDLC) and application runtime.

During Development:

  • Static Application Security Testing (SAST): All code is automatically scanned at build time using security tools to detect vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure configurations.
  • Dependency Scanning: All third-party libraries are continuously checked against vulnerability databases (e.g. CVE, NVD) and updated promptly.
  • Peer Code Reviews: All code changes undergo mandatory peer review with a focus on OWASP Top 10 vulnerabilities.
  • Secrets Management: No secrets or credentials are stored in code repositories; they are stored in secure vaults (e.g. AWS Secrets Manager) with controlled access.

During Runtime:

  • Dynamic Application Security Testing (DAST): We perform vulnerability testing against staging and production environments to detect runtime security issues.
  • Web Application Firewall (WAF): AWS WAF is in place to block common exploits such as injection attacks and cross-site scripting.
  • Runtime Monitoring: Continuous monitoring of logs and application behaviour with automated alerts for suspicious activities.

Remediation Timelines:

  • Critical vulnerabilities: Fixed within 24–48 hours.
  • High vulnerabilities: Fixed within 7 days.
  • Medium vulnerabilities: Fixed within 30 days.
  • Low vulnerabilities: Fixed within 90 days or the next maintenance cycle.

After remediation, fixes are validated through repeat scans before deployment to production.

17. Change Management Responsibility and Access Control

Change management within our organisation is overseen by Susant Patro – Chief Executive Officer (CEO).

Access to perform change management activities is granted only through our Role-Based Access Control (RBAC) process:

  • Formal Authorisation – Access is only provided after a documented Change Management Access Request is submitted and approved by the CEO and the IT Security Manager.
  • Least Privilege Principle – Permissions are provisioned via AWS Identity and Access Management (IAM), granting only the minimum access required to perform specific change management tasks.
  • Security Safeguards – All privileged accounts require multi-factor authentication (MFA), use company-managed devices, and connect only from pre-approved IP addresses.
  • Ongoing Review – All privileged access is reviewed monthly and revoked immediately if no longer required for business purposes or upon termination of employment.

All change activities are documented in our internal Change Management System, including request IDs, approvals, testing evidence, deployment records, and post-deployment validation results.

Cookie Policy of www.247commerce.co.uk

This document informs Users about the technologies that help www.247commerce.co.uk to achieve the purposes described below. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User’s device as they interact with www.247commerce.co.uk.

For simplicity, all such technologies are defined as “Trackers” within this document – unless there is a reason to differentiate.
For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

Some of the purposes for which Trackers are used may also require the User’s consent. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

www.247commerce.co.uk uses Trackers managed directly by the Owner (so-called “first-party” Trackers) and Trackers that enable services provided by a third-party (so-called “third-party” Trackers). Unless otherwise specified within this document, third-party providers may access the Trackers managed by them.
The validity and expiration periods of Cookies and other similar Trackers may vary depending on the lifetime set by the Owner or the relevant provider. Some of them expire upon termination of the User’s browsing session.
In addition to what’s specified in the descriptions within each of the categories below, Users may find more precise and updated information regarding lifetime specification as well as any other relevant information – such as the presence of other Trackers – in the linked privacy policies of the respective third-party providers or by contacting the Owner.

Activities strictly necessary for the operation of www.247commerce.co.uk and delivery of the Service

www.247commerce.co.uk uses so-called “technical” Cookies and other similar Trackers to carry out activities that are strictly necessary for the operation or delivery of the Service.

Other activities involving the use of Trackers

Measurement
www.247commerce.co.uk uses Trackers to measure traffic and analyze User behavior with the goal of improving the Service.

Analytics

The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics (Google Inc.)
Google Analytics is a web analysis service provided by Google Inc. (“Google”). Google utilizes the Data collected to track and examine the use of www.247commerce.co.uk, to prepare reports on its activities and share them with other Google services.
Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

Personal Data processed: Cookies and Usage Data.
Place of processing: United States – Privacy Policy – Opt Out.

HubSpot Analytics (HubSpot, Inc.)
HubSpot Analytics is an analytics service provided by HubSpot, Inc.
Personal Data processed: Cookies and Usage Data.
Place of processing: United States – Privacy PolicyOpt Out.

 

How to manage preferences and provide or withdraw consent

There are various ways to manage Tracker related preferences and to provide and withdraw consent, where relevant:

Users can manage preferences related to Trackers from directly within their own device settings, for example, by preventing the use or storage of Trackers.

Additionally, whenever the use of Trackers is based on consent, Users can provide or withdraw such consent by setting their preferences within the cookie notice or by updating such preferences accordingly via the relevant consent-preferences widget, if available.

It is also possible, via relevant browser or device features, to delete previously stored Trackers, including those used to remember the User’s initial consent.

Other Trackers in the browser’s local memory may be cleared by deleting the browsing history.

With regard to any third-party Trackers, Users can manage their preferences and withdraw their consent via the related opt-out link (where provided), by using the means indicated in the third party’s privacy policy, or by contacting the third party.

Locating Tracker Settings
Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

Users may also manage certain categories of Trackers used on mobile apps by opting out through relevant device settings, such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings, view and look for the relevant setting).

Owner and Data Controller

Unit 1 ( Groundfloor)
Lincoln House, GWQ, Great West Road, Brentford TW8 0GE

Owner contact email: privacy@247commerce.co.uk

Since the use of third-party Trackers through www.247commerce.co.uk cannot be fully controlled by the Owner, any specific references to third-party Trackers are to be considered indicative. In order to obtain complete information, Users are kindly requested to consult the privacy policies of the respective third-party services listed in this document.

Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by www.247commerce.co.uk.

Definitions and legal references

Personal Data (or Data)
Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Usage Data
Information collected automatically through www.247commerce.co.uk (or third-party services employed in www.247commerce.co.uk), which can include: the IP addresses or domain names of the computers utilized by the Users who use www.247commerce.co.uk, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server’s answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User’s IT environment.

User
The individual using www.247commerce.co.uk who, unless otherwise specified, coincides with the Data Subject.

Data Subject
The natural person to whom the Personal Data refers.

Data Processor (or Data Supervisor)
The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of www.247commerce.co.uk. The Data Controller, unless otherwise specified, is the Owner of www.247commerce.co.uk.

www.247commerce.co.uk (or this Application)
The means by which the Personal Data of the User is collected and processed.

Service
The service provided by www.247commerce.co.uk as described in the relative terms (if available) and on this site/application.

European Union (or EU)
Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Cookie
Cookies are Trackers consisting of small sets of data stored in the User’s browser.

Tracker
Tracker indicates any technology – e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting – that enables the tracking of Users, for example by accessing or storing information on the User’s device.

Legal information

This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

This privacy policy relates solely to www.247commerce.co.uk, if not stated otherwise within this document.

  • © 247 Commerce - All rights reserved. Registered in England and Wales Number: 07775662. VAT Number: GB 122 1173 69. Privacy & Cookie Policy | Terms of Service Security