Data Protection Statement

Effective Date: November 1, 2025 · Last Updated: May 11, 2026

This Data Protection Statement outlines the technical and organizational measures implemented by Kanso WorldShop Inc. ("ConsignPro") to protect the security and confidentiality of partner and customer data, including data accessed via the Amazon Selling Partner API (SP-API).

This Statement is published in compliance with the Amazon Data Protection Policy and as part of our broader commitment to information security. It is intended to be read alongside our Privacy Policy and Terms of Service.

1. Information Security Program

ConsignPro maintains an information security program with documented policies covering:

• Access control and authentication
• Data encryption at rest and in transit
• Vulnerability management
• Incident response
• Vendor risk management
• Personnel training
• Physical security of our Pittsburgh facility

2. Encryption Standards

2.1 Encryption at Rest

Sensitive data is encrypted at rest using industry-standard algorithms:

• Amazon SP-API OAuth refresh tokens: AES-256-GCM with authenticated encryption
• Stripe customer payment data: tokenized and stored exclusively in Stripe's PCI-compliant infrastructure (never on ConsignPro servers)
• Banking information: stored in encrypted database fields, accessible only to authorized personnel
• User passwords: hashed using bcrypt with appropriate work factors

2.2 Encryption in Transit

• All web traffic is served over HTTPS (TLS 1.2 or higher)
• All API calls to Amazon SP-API, Stripe, Wise, and other third-party services use HTTPS
• Internal service-to-service communications are encrypted
• HSTS (HTTP Strict Transport Security) is enabled

3. Access Control

• Administrative access to systems is limited to authorized personnel
• Multi-factor authentication (MFA) is required for all administrative accounts
• Access is granted on a least-privilege basis
• Access is reviewed periodically and revoked promptly upon role change or departure
• All administrative actions are logged

4. Amazon SP-API Data Handling

4.1 Scope of Access

ConsignPro accesses only the minimum data required to provide the reimbursement service:

• FBA Inventory Adjustments reports
• Returns reports
• Reimbursements reports (historical reimbursements already paid)
• Seller account identification
• Marketplace participation data

We do not access order details containing Personally Identifiable Information (PII) of end customers unless specifically required for a documented reimbursement claim. When such access is necessary, it is requested through the SP-API Restricted Data Token flow with appropriate justification, and data is purged after use.

4.2 Data Storage and Retention

• OAuth refresh tokens are stored encrypted and used only to refresh access tokens
• Retrieved Amazon data is stored in our partner-specific database tables, accessible only to authorized personnel
• Customer PII obtained via Restricted Data Token is purged within 30 days of claim resolution
• Aggregated reimbursement records are retained for 7 years for tax purposes

4.3 Data Sharing

Data obtained from Amazon SP-API is:

• Not sold to any third party
• Not shared with advertisers, marketers, or data brokers
• Not used for any purpose unrelated to the reimbursement service
• Not transferred outside the United States except as required for normal cloud hosting operations

4.4 Authorization Revocation

Partners may revoke ConsignPro's Amazon SP-API authorization at any time through the vendor portal Settings page. Upon revocation:

• Refresh tokens are immediately invalidated in our system
• No further data is retrieved from Amazon
• Historical claim records remain for tax and audit purposes but no new processing occurs

5. Infrastructure & Hosting

The Services are hosted on professional cloud infrastructure with industry-standard security:

• Application hosting: Railway (provisioned through Google Cloud Platform)
• Database: PostgreSQL on managed cloud infrastructure with automated backups
• DNS & CDN: Cloudflare with DDoS protection and Web Application Firewall (WAF)
• SSL/TLS certificates: Let's Encrypt / Cloudflare-managed, auto-renewed

6. Backup & Disaster Recovery

• Database backups are performed daily by our managed database provider
• Backups are encrypted and retained for 30 days
• Backup recovery procedures are reviewed periodically

7. Personnel

• All personnel with access to partner data have signed confidentiality agreements
• Access is granted only to personnel with a documented business need
• Training on data protection and security best practices is provided to relevant personnel

8. Incident Response

In the event of a suspected or confirmed data breach, ConsignPro will:

• Investigate the incident immediately
• Contain the breach and remediate the underlying cause
• Notify affected partners without undue delay
• Notify Amazon of any incident involving SP-API data within the timeframe required by the Amazon Data Protection Policy (typically within 24 hours of confirmation)
• Cooperate with applicable regulatory authorities
• Document the incident and corrective actions taken

9. Subprocessors

ConsignPro engages the following categories of subprocessors:

• Cloud hosting and database providers (Railway, Cloudflare)
• Payment processors (Stripe, Wise)
• Email delivery services
• Tax and accounting software providers

All subprocessors are bound by contractual data protection and confidentiality obligations.

10. Audit & Compliance

ConsignPro reviews its security practices periodically and updates them as needed in response to:

• Changes in technology or threats
• Changes in applicable regulations
• Changes in Amazon's Data Protection Policy
• Lessons learned from incidents

11. Contact

For security questions or to report a vulnerability:

Kanso WorldShop Inc.
Attn: Security
6901 Lynn Way STE 207
Pittsburgh, PA 15208, USA
Email: support@theconsignpro.com