Amazon Selling Partner

Assessment Kick-Off

Resources to help you prepare for the assessment:

1. Video Resources: Open Link

2. SP-API Technical Papers: Open Link
3. Security Audits: Best Practices and Readiness-Blog Post: Open Link
4. Check out our new Security Product: Open Link
5. Selling Partner API Policies
• Amazon Services API Developer Agreement: Open Link
• Data Protection Policy: Open Link
• Acceptable Use Policy: Open Link
Assessment Overview and Timeline
Key details
Why? Support Provided
Amazon engages with PwC/Deloitte to conduct the assessment in accordance with Amazon will assist you during the remediation process by providing the support of
regulatory requirements and to assist developers in improving their cyber security and data solution architects that can help tackle the plan of action (POA) to solve for the gaps
use posture in controls

How? Time and Effort

The assessment has three stages: The total assessment takes an estimated 8 hours of time across the month. The split is as
• Submit Assessment: Provide responses to questions in relation to the assessment follows:
• Assessment Call: Discuss the controls in place to manage the Amazon data received • Assessment Submission – 4-6 hours
• Remediation: Implementing solutions for any gaps
• Assessment Call – 2 hours
• Follow up questions – 2 hours (done via email communication between PwC and
developer)

Assessment Timeline
Assessment Notification Share Remediation Evidence
Share your plan of
Assessment Call action
Legend
01 02 03 04 05 06 07 08 09
PwC Action

Your Action Assessment Responses Due Amazon review

POA Amazon approves the end of
Amazon Action Gaps shared by PwC/Deloitte Remediation
Kickoff Call / Document
Request Distributed
Key Assessment Domains
For each of the following topics, please identify key personnel who are knowledgeable about each of the various
processes. These personnel would need to be available to provide insight during the assessment call.

# Domain Topics Covered

Understanding an overview of services and processes.
Understanding the network architecture and flow of datathrough
1 Business and system Overview the environment.

• Policy management,
• Risk and Compliance Regulations Management,
2 Security governance • Privacy regulation management,
• Third party risk management
• Data Storage
• Asset management and security controls for assets
3 Infrastructure security* • Asset Baseline Configuration
• Asset destruction
• Anti-malware controls
• Tools utilized to protect data
• Encryption protocols for data at rest and in transit
• Management and classification of data
4 Data protection* • Data retention and back-up
• Dark Web Review
• API Key security

*Potential topics where key personnel may need to screen share with the assessment team

- 3-
Key Assessment Domains
# Domain Topics Covered
• Security controls utilized to manage, monitor and protect the
network.
5 Network security and vulnerability management* • Vulnerability Management
• Remediation of Vulnerabilities
• Network Segregation
• Software development lifecycle (including Software Testing)
6 Application security*
• Change Management
• Access provisioning and de-provisioning
• Privileged access Management
7 Identity and access management* • Remote access
• Password Management
• Log management
8 Security monitoring and incident response
• Incident management plan
• Management of privacy regulation requirement
• Movement of data
9 Privacy • Security Awareness Training
• Data subject rights
Various stages of the Amazon data lifecycle
• Collection & Storage
10 Data Handling and Management • Access
• Transfer
• Amazon data sharing with third parties
11 Third-Party Integration
• Data sharing process and mechanism
• Seller support tools (CRM)
12 Customer Support
• Seller support process and mechanism

- 4-
 Frequently Asked Questions

1. Why are we being assessed?

➢ Developers are selected for assessment based on a variety of factors, including the nature and extent of their data access, as well as the
potential risks associated with such access. The primary purpose of these assessments is to ensure that developers are effectively managing and
safeguarding sensitive data in alignment with Amazon's data and privacy policies. This process also involves verifying adherence to the most
recent updates to Amazon's assessment framework. Through these assessments, we aim to maintain high standards of data security and privacy,
thereby protecting both the company and its customers.

2. Who needs to be on the assessment call?

➢ To ensure a thorough and efficient assessment process, it is essential that you include team members who possess comprehensive knowledge
and the capability to address all relevant topics. Specifically, individuals who are familiar with and can speak to the areas outlined in the Key
Assessment Domains section should be present. This might include representatives from your data security team, compliance officers, and any
other personnel involved in data handling and protection. Their expertise and insights will be crucial in providing accurate and complete
information during the assessment.

3. What if we have gaps and are currently not complaint?

➢ The goal of the assessment is to identify any potential gaps in your current practices and to assist you in addressing and remediating these
issues. If your organization is found to be non-compliant with Amazon's standards, it is important to take prompt action to close these gaps. We
encourage you to work closely with your internal team as well as with the Amazon team to develop and implement a remediation plan within
the specified timeframe. During this period, it is imperative that you remain responsive and open to communication, as this will facilitate a
smoother and more effective resolution of the identified issues.

4. Will I be assessed again?

➢ Amazon's commitment to data security and privacy involves regularly updating its security framework to address emerging threats and evolving
best practices. Consequently, re-assessments may be initiated based on these updates or other relevant factors. By periodically re-evaluating
compliance with our updated framework, we aim to ensure that developers meet our stringent security standards. Therefore, it is possible that
you may undergo re-assessment in the future.

5. How much will this assessment cost us?

➢ The assessment process is provided at no cost to you and will be conducted by PwC. This complimentary service is part of Amazon's commitment
to maintaining high standards of data security and privacy across developers and partners.