Data Protection & Security Policy

Last Updated: June 2026 · Reviewed at least every 6 months

1. Scope

This policy describes how Carnesazo collects, processes, stores, uses, shares, and disposes of data, and the security controls we apply to protect it. It applies to all data we handle, and specifically governs Amazon Selling Partner Information (including Personally Identifiable Information such as buyer names and shipping addresses) accessed through the Amazon Selling Partner API (SP-API) for the purpose of merchant-fulfilled order shipping. This policy is reviewed and updated at least every six (6) months.

2. Data Lifecycle

Collected

Amazon Information is retrieved directly and exclusively from the Amazon Selling Partner API over an authenticated, encrypted (TLS 1.2+) connection. We do not obtain Amazon Information from any external or third-party source. The data we access is limited to what is required to fulfill orders: order identifiers, item details, and the buyer name and shipping address needed to generate a shipping label.

Processed

Amazon Information is processed solely to generate and purchase shipping labels for merchant-fulfilled orders and to confirm shipment back to Amazon. Processing occurs in our serverless application environment (Vercel) and our managed database (Supabase). No automated decision-making, profiling, advertising, or resale of Amazon Information takes place.

Stored

Amazon Information is stored only in our managed PostgreSQL database (Supabase, hosted on AWS). It is encrypted at rest using AES-256, with cryptographic keys managed by the underlying AWS Key Management Service (KMS) using envelope encryption and provider-managed key rotation. Application secrets and API credentials are stored as encrypted environment variables in our hosting platform and are never committed to source control.

Used

Amazon Information is used exclusively for order fulfillment (shipping label generation and shipment confirmation). It is never used for marketing, advertising, analytics unrelated to fulfillment, or any purpose outside the scope permitted by the Amazon Acceptable Use Policy.

Shared

Amazon Information is not sold and not shared with any third party for that party’s own use. The only data transmitted externally is the minimum shipping address necessary to purchase a shipping label, sent over an encrypted connection to our shipping carrier / label provider (Shippo) acting strictly as a processor on our behalf to complete the fulfillment for which the buyer provided the information. No Amazon Information is shared with advertising networks, data brokers, or marketing partners.

Retained & Disposed

Amazon Information is retained only as long as necessary to fulfill the order and to meet legal, tax, and accounting obligations, after which it is permanently deleted. Personally Identifiable Information not required for legal retention is purged once the fulfillment purpose is complete. Deletion requests are honored promptly. Disposal is performed by permanent deletion from the database and backups in accordance with their retention schedule.

3. Network Protection & Access Control

  • Databases and file storage are not publicly exposed. The database is reachable only through an authenticated API protected by Row-Level Security (RLS); public ports are closed and access is gated by managed-provider firewalls and network segmentation between production and development.
  • All application traffic is served exclusively over HTTPS/TLS 1.2+. There are no public file servers; static assets are served from a CDN.
  • Administrative access requires Multi-Factor Authentication (MFA). Access to Amazon Information is granted on a least-privilege, need-to-know basis and is individually attributable to a named, authenticated user.
  • Developer/endpoint devices are protected with full-disk encryption, automatic screen lock, host firewall, and anti-malware. Amazon Information is never downloaded to personal devices or removable media (USB drives, phones); access occurs only through MFA-protected cloud consoles.

4. Encryption

In transit: all data, including Amazon Information, is encrypted using TLS 1.2 or higher. At rest: data is encrypted using AES-256, with keys managed by AWS Key Management Service (KMS) under the managed database provider, using envelope encryption and automated key rotation.

5. Backups & Recovery

Encrypted automated daily backups and continuous point-in-time recovery (PITR) are maintained by our managed database provider and stored in storage that is geographically separated from the primary production database within the provider’s cloud (AWS), encrypted at rest. Recovery objectives: RPO ≈ 2 minutes (via PITR write-ahead logging) and RTO of a few hours. Restore procedures consist of restoring from the most recent backup or a point-in-time snapshot into a new instance and re-pointing the application.

6. Logging & Monitoring

  • Database access, authentication events, and application/API activity are logged by our managed providers (Supabase, Vercel) and reviewed for suspicious activity.
  • Automated alerts notify the administrator by email of failed-authentication spikes, anomalous access, and new-device sign-ins so incidents can be investigated promptly.
  • Security and access logs are retained for a minimum of 12 months.
  • Logs do not store Personally Identifiable Information; only non-sensitive identifiers (e.g., order IDs) are recorded for investigation.

7. Vulnerability & Change Management

Application dependencies are continuously scanned for known vulnerabilities, and code is scanned prior to release. Critical findings are remediated within 7 days and high findings within 30 days. All changes are tested in a non-production environment and deployed through a CI/CD pipeline before reaching production; production access for deploying changes is restricted to authorized administrators.

8. Incident Response Plan

Carnesazo maintains an incident response plan with defined roles and responsibilities, reviewed at least every six (6) months. In the event of a suspected database breach, unauthorized access, or data leak, we:

  1. Contain the incident and revoke/rotate all potentially compromised credentials and API keys.
  2. Assess scope and impact using access and audit logs.
  3. Notify Amazon within 24 hours of detecting a Security Incident involving Amazon Information by emailing security@amazon.com, and notify any other affected parties as legally required.
  4. Remediate the underlying vulnerability and restore from clean backups if needed.
  5. Conduct a post-incident review and update controls to prevent recurrence.

Incident Management Point of Contact: Roger Garcia — roger@stxvc.com.

9. Credential & Password Management

All systems handling Amazon Information require unique passwords with a minimum length of 12 characters and complexity (a combination of uppercase, lowercase, numbers, and special characters), enforced via a password manager. Multi-Factor Authentication (MFA) is required on all such systems. Passwords are rotated at least every 365 days. Credentials are never shared, hard-coded into applications, or committed to public repositories; secrets are stored as encrypted environment variables.

10. Contact

Questions about this policy or to report a security concern: roger@stxvc.com.

Made for the Moments That Matter.

From backyard cookouts to weeknight dinners — Carnesazo brings the sabor that brings everyone together.