Overview & Purpose
Introduction
Kahnputers, LLC needs to gather and use certain information, including from customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact. This policy describes how this protected data must be collected, handled and stored to meet the company’s data protection standards as well as third party and legal requirements.

Why this policy exists
This data protection policy ensures Kahnputers, LLC:
• Complies with data protection requirements, laws and best practices
• Protects the rights of staff, customers and partners
• Is open about how it stores, and processes, protected data
• Helps potentially reduce the risk of a data breach

Definitions
• "Application" means a software application or website that interfaces with outside systems, such as Amazon Marketplace APIs.
• "Amazon Information" means any information that is exposed by Amazon through Amazon Marketplace APIs, Seller Central, or Amazon's public-facing websites. This data can be public or non-public, including Personally Identifiable Information about Amazon customers. This is hereafter referred to as “Protected Data” in this document.
• "Customer" means any person or entity who has purchased items or services from a third party’s public-facing websites.
• "Developer" means any person or entity that uses Amazon Marketplace APIs for the purpose of integrating or enhancing a third-party Seller's systems with the features and functionality permitted by Amazon to be accessed through Amazon Marketplace APIs.
• “Partner” Any third party that Kahnputers, LLC enters into a business agreement with, for services rendered by or performed for that entity.
• “Partner Data” Any data that Kahnputers, LLC manages or handles for a contracted third party. Amazon Information is included in this definition. This is considered Protected Data.
• "Personally Identifiable Information" ("PII") means information that can be used on its own or with other information to identify, contact, or locate an individual (e.g., Customer or Seller), or to identify an individual in context. This includes, but is not limited to, a Customer or Seller's name, address, e-mail address, phone number, gift message content, survey responses, payment details, purchases, cookies, digital fingerprint (e.g., browser, user device), IP Address, geo-location, or Internet-connected device product identifier. This is hereafter referred to as “Protected Data” in this document.
• “Protected Data” means any information that qualifies as PII, Amazon Information, or any other designations that indicate a higher level of security must be used for the handling of such data.
• "Security Incident" means any actual or suspected unauthorized access, collection, acquisition, use, transmission, disclosure, corruption, or loss of Protected Data, or breach of any environment (i) containing Protected Data, or (ii) managed by a Developer with controls substantially similar to those protecting Protected Data.
• "Seller" means any person or entity selling on a third party’s public-facing websites.

Scope
Policy Scope
This policy applies to:
• The head office of Kahnputers, LLC
• All branches of Kahnputers, LLC
• All staff of Kahnputers, LLC
• All contractors, suppliers and other people working on behalf of Kahnputers, LLC
It applies to all Protected Data that the company holds.

Protected Data risks
This policy helps to protect Kahnputers, LLC from some Protected Data security risks, including:
• Breaches of confidentiality, Integrity or Availability. For instance, information being given out inappropriately.
• Reputational damage. For instance, the company could suffer if hackers successfully gained access to Protected Data.

Responsibilities
Everyone who works for or with Kahnputers, LLC has some responsibility for ensuring Protected Data is collected, stored and handled appropriately.
Each team that handles Protected Data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
• The Chief Technology Officer (CTO) is ultimately responsible for:
o ensuring that Kahnputers, LLC meets its legal obligations.
o Ensuring all systems, services and equipment used for storing Protected Data meet acceptable security standards.
o Performing regular checks and scans to ensure security hardware and software is functioning properly.
o Evaluating any third-party services the company is considering using to store or process Protected Data. For instance, cloud computing services.
o Approving any data protection statements attached to communications such as emails and letters.
o Addressing any data protection queries from journalists or media outlets like newspapers.
o Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

• The Chief Compliance and Security officer (CCSO) is responsible for:
o ensuring that Kahnputers, LLC meets its legal obligations.
o Ensuring all systems, services and equipment used for storing Protected Data meet acceptable security standards.
o Performing regular checks and scans to ensure security hardware and software is functioning properly.
o Evaluating any third-party services the company is considering using to store or process Protected Data. For instance, cloud computing services.
o Approving any data protection statements attached to communications such as emails and letters.
o Addressing any data protection queries from journalists or media outlets like newspapers.
o Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles. Data classification
Kahnputers, LLC will maintain the following data classification definitions and security methods:
• Public data: Information that can be freely shared, such as on the company website. No security is needed around this data.
• Confidential data: This is the level of data that can be shared with a partner or perspective partner with a signed non-disclosure agreement in place. Data can be shared in email format. This includes product descriptions and system information that must be shared, such as API information with a partner.
• Protected Data: Data defined as PII, or Partner data (Including Amazon Information). This data can be shared or stored only using the methods defined in this document.
• Restricted data: All data pertaining to internal working of Kahnputers, LLC. This information cannot be shared outside of an audit, and then must be handled by the CTO or CCSO using the most secure method available. This includes Kahnputers financial records, and any intellectual property it develops.

General staff guidelines
• The only people able to access Protected Data covered by this policy should be those who need it for their defined roles.
• Protected Data should not be shared informally. When access to confidential information is required, employees can request it from their managers.
• Kahnputers, LLC will provide training to all employees to help them understand their responsibilities when handling Protected Data.
• Employees should keep all Protected Data secure, by taking sensible precautions and following the guidelines below.
• In particular, strong passwords and password methodology (as defined by NIST standards) must be used.
• Protected data should not be disclosed to unauthorised people, either within the company or externally.
• Protected Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of securely.
• Employees should request help from their manager or Kahnputers, LLC management if they are unsure about any aspect of data protection.

Protected Data storage
These rules describe how and where Protected Data should be safely stored. Questions about storing Protected Data safely can be directed to the Kahnputers, LLC management.
When Protected Data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to Protected Data that is usually stored electronically but has been printed out for some reason:
• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
• Protected Data printouts should be shredded and disposed of securely when no longer required.
When Protected Data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
• Protected Data should be protected by strong passwords that are changed regularly and never shared between employees.
• If Protected Data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
• Protected Data should only be stored on designated drives and servers and should only be uploaded to an approved cloud computing services.
• Servers containing Protected Data should be housed in a secure location, away from general office space.
• Protected Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
• Protected Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
• All servers and computers containing Protected Data should be protected by approved security software (including malware and endpoint protection, as applicable) and a firewall.
• Whenever Protected Data is stored on electronic media and no longer needed, it must be removed using secure deletion techniques (Such as NIST 800-88).
o Amazon Data must specifically be removed completely within 90 days of request.
o Any PII must only be kept for as long as required for legal or tax purposes, and no more than 30 days on a live production server after needed. Any PII that is needed for longer periods must be kept in offline storage.
• If partner data is requested to be deleted or returned, Kahnputers LLC must acknowledge the request, and comply within 72 hours.
• Access to all systems contained Protected Data must meet access management guidelines. This must include:
o All Kahnputers LLC employees must have a unique, non-shared login
o No default, generic, or shared accounts can be used.
o The principle of ‘least privilege’ must be followed, so that only those who have a business need to have Protected Data access, in line with their job responsibilities, will have such access.
o All accounts with access will be deactivated upon termination of employment or change in responsibilities to where access is no longer required.
o User access reviews will occur at least quarterly by Kahnputers, LLC management to ensure only those individuals that require access still have it.
o Account lockout tools will be used so that repeated failed attempts to access an account or system with Protected Data are locked out, and must be manually re-enabled by Kahnputers, LLC management.
o Logs detailing access to all Protected Data must be kept and monitored by management, as detailed in the Incident Response Policy and Plan. All logs must be maintained for no less than 90 days.
• Protected Data must be encrypted in transit. Specifically, for Amazon Protected Data:
o Developers must encrypt all Amazon Information in transit (e.g., when the data traverses a network, or is otherwise sent between hosts. This can be accomplished using HTTP over TLS (HTTPS). Developers must enforce this security control on all applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling. Developers must disable communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels). Developers must use data message-level encryption (e.g., using AWS Encryption SDK) where channel encryption (e.g., using TLS) terminates in untrusted multi-tenant hardware (e.g., untrusted proxies).
• Protected Data must be Encrypted in Storage. Specifically, for AWS:
o Developers must encrypt all PII at rest (e.g., when the data is persisted). The cryptographic materials (e.g., encryption/decryption keys) and cryptographic capabilities (e.g., daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs) used for encryption of PII at rest must be only accessible to the Developer's processes and services. Developers must not store PII in removable media (e.g., USB) or unsecured public cloud applications (e.g., public links made available through Google Drive). Developers must securely dispose of any printed documents containing PII.
• In the event of any Security Incident involving protected data, notification procedures must be followed as outlined in the Incident Response Policy and Plan.

Protected Data use
It is when Protected data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
• When working with protected data, employees should ensure the screens of their computers are always locked when left unattended.
• protected data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
• Protected Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
• Employees should not save copies of protected data to their own computers. Always access and update the central copy of any data.
• Maps of how all Protect data is used will be completed using the “Protected Data record” template at the end of this document

Data Recovery
Kahnputers, LLC has a requirement to be able to recover data if lost. The following methods are to be used to help ensure this:
• X
• X
• X

Data accuracy
Depending on jurisdiction and local/regional law, Kahnputers, LLC may be required to take reasonable steps to ensure protected data is kept accurate and up to date.
When Kahnputers, LLC operates in regions that have this requirement, requirements will be defined, and a mechanism will be designed to submit and process them.

Subject access requests
Depending on jurisdiction and local/regional law, individuals who are the subject of protected data held by Kahnputers, LLC may be entitled to inquire about their information.
When Kahnputers, LLC operates in regions that have this requirement, specific requirements will be defined, and a mechanism will be designed to submit and process them.

Disclosing Protected data for other reasons
In certain circumstances, local or regional law allows protected data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Kahnputers, LLC will disclose requested protected data if appropriate documentation is provided or legal requirements followed. However, the CTO will ensure the request is legitimate, seeking assistance from the company’s legal advisers where necessary.

Providing information
Kahnputers, LLC aims to ensure that individuals are aware that their data is being processed, and that they understand:
• How the data is being used
• How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.
This policy can be found [link to external privacy policy]

Third Party Auditing
Certain third parties, typically partners for whom Kahnputers, LLC, provides services or development for, may require periodic audits of compliance with this policy. For this purpose, Kahnputers LLC will document all actions taken in line with this policy and store them on secure company servers. Records will be maintained for 14 months, and then securely deleted.