Subject to change as set forth below. Save a copy of this version as needed for your internal records.
THIRD PARTY SECURITY REQUIREMENTS
Last updated September 8, 2022
1. Scope. Supplier shall comply with Amazon’s information security requirements as set forth in these third party security requirements (the “Security Requirements”). The Security Requirements apply to all Processing of, and Security Incidents involving, Amazon Information. These commitments apply to Supplier, its Personnel, and all information systems involved in the Processing of Amazon Information. To the extent these Security Requirements conflict with the Agreement, Supplier will notify Amazon of the conflict and will comply with the requirement that is more restrictive and protective of Amazon Information. Notwithstanding any contrary language in the Agreement, Amazon may change these Security Requirements from time to time at its sole discretion. You agree to be bound by the modified terms. It is your responsibility to check regularly for modifications to the Security Requirements.
2. Definitions. The following definitions apply to this Security Policy: (i) “Amazon” means Amazon.com, Inc. and its affiliates. (ii) “Agreement” means any agreement that references these Security Requirements; (iii) “Aggregate” means to combine or store Amazon Information with any data or information of Supplier or any third party: (iv) “Amazon Information” means: (a) Amazon Confidential Information (as defined in the Agreement or in a non-disclosure agreement between the parties); (
) all other data, records, files, content or information received from Amazon or its affiliates and Processed by Supplier in connection with the Agreement; and (c) data derived from (a) or (
), even if anonymized; (v) “Personnel” means Supplier’s or Subcontractor’s employees, agents, subcontractors, and other authorized users of its systems and network resources; (vi) “Physical, Administrative, and Technical Safeguards” refers to the controls an organization implements to maintain information security, and includes: (a) physical safeguards to address physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion; (
) administrative safeguards to address administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic data or information and to manage the conduct of Personnel in relation to the protection of that data or information; and (c) technical safeguards to address the technology, and the policies and procedures for its use, that protect electronic data or information and control access to it; (vii)“Process” means to perform any operation or set of operations on data, such as access, use, collection, receipt, storage, alteration, transmission, dissemination or otherwise making available, erasure, or destruction; (viii) “Security” refers to the three properties of information security known as confidentiality, integrity, and availability; and (ix) “Security Incident” means any circumstance when (a) Supplier knows or reasonably believes that the Security of Amazon Information has been compromised; (
) Supplier knows or reasonably believes there has been unauthorized access to or compromise of the security of any system that Processes Amazon Information; or (c) Supplier receives a complaint, report, or other information regarding potential compromise or exposure of Amazon Information Processed by Supplier. (x) “Supplier” means each Supplier, Vendor, or Contractor defined in an Agreement and any other provider subject to an Agreement.
3. Permitted Purpose. Supplier shall (i) only Process Amazon Information as expressly authorized under the Agreement (the “Permitted Purpose”); (ii) not transfer, rent, barter, trade, sell, loan, lease, or otherwise distribute or make Amazon Information available to any third party and (iii) not Aggregate Amazon Information, even if anonymized or pseudonymized, except as expressly authorized under the Agreement.
4. Information Security Requirements. Supplier will maintain Physical, Administrative, and Technical safeguards consistent with industry best practices (including the International Organization for Standardization’s standards
27001 and 27002, the National Institute of Standards and Technology (
) Cybersecurity Framework, or other similar industry standards for information security) to protect the Security of Amazon Information. The safeguards maintained by Supplier shall include the following minimum requirements:
4.1 Written information security program. Supplier shall implement a written information security program that (i) includes appropriate policies, procedures, and standards; (ii) is reviewed at least annually and updated as necessary; and (iii) applies to Supplier’s Personnel. Supplier shall monitor and enforce program compliance and address violations.
4.2 Risk management program. Supplier shall implement a written information security risk management program, which defines processes for risk analysis, risk treatment, risk acceptance, and exceptions.
4.3 Security awareness training. Supplier shall provide security training to Personnel upon hiring and at least annually on relevant threats.
4.4 Data inventory. Supplier shall document and maintain information regarding how and where Amazon Information is Processed. Upon Amazon’s request, in coordination with Security Reviews and Audits or Security Incidents, Supplier will provide to Amazon the information referenced in this section.
4.5 Secure configurations. Supplier shall manage up to date secure configurations of its systems using industry best practices to protect the Security of Amazon Information.
4.6 Vulnerability and patch management. Supplier shall maintain a process to timely identify and remediate vulnerabilities through patches, updates, bug fixes, or other modifications to maintain the Security of Amazon Information.
4.7 Security testing. Supplier shall conduct periodic internal and external penetration testing to identify vulnerabilities at least annually. Identified vulnerabilities shall be addressed as part of Supplier’s vulnerability management program.
4.8 Maintenance, monitoring, and analysis of audit, event, and security logs. Supplier shall collect, manage, retain, and analyze audit, event, and security logs to help detect, investigate, and recover from unauthorized activity. Supplier shall keep and maintain logs for at least 12 months. If Supplier is providing a service to Amazon in a multi-tenant environment (e.g., a
application), Supplier shall ensure that logs related to Amazon information have a unique Amazon implementation
to enable the filtering and review of logs specific to Amazon information. Upon Amazon’s request in coordination with Security Reviews and Audits or Security Incidents, Supplier will provide to Amazon all logs referenced in this section.
4.9 Malware defenses. Supplier shall deploy anti-malware software to all systems; maintain the anti-malware software’s updates, signatures, and configurations; and configure systems to control and detect the installation, spread, and execution of malicious code.
4.10 Firewalls. Supplier shall maintain and configure firewalls to protect systems from unauthorized access and shall review firewall rule sets at least annually to ensure valid, documented business cases exist for all rules.
4.11 Suitable environment. Supplier shall only use Amazon Information in an environment suitable to its purpose and will neither (i) use production data on test equipment nor (ii) use test data on production equipment.
4.12 Change management. Supplier shall ensure that changes to production systems are tracked, recorded, and reviewed.
4.13 Authorized services. Supplier shall disable all unnecessary services, protocols, and ports and document all authorized services with an approved business justification.
4.14 Encryption. Supplier shall encrypt all Amazon Information at rest and in transit across open networks in accordance with industry best practices. If Amazon Information is transmitted on internal Supplier networks, it shall be transmitted through an encrypted protocol that meets industry best practices.
4.15 Controlled use of administrative privileges. Supplier shall limit and control use of administrative privileges following industry best practices.
4.16 Access controls. Supplier shall implement the following access controls: (i) assign individual, unique IDs to Personnel with access to Amazon Information, including accounts with administrative access; (ii) do not allow Personnel to share accounts; (iii) restrict access to Amazon Information to only Personnel with a “need-to-know” for a Permitted Purpose; (iv) maintain an inventory of all administrator accounts with access to Amazon Information and provide a list of these accounts to Amazon upon request; and (v) review at least once every 90 days Personnel and services with access to Amazon Information and remove accounts that no longer require access.
4.17 Password management. Supplier shall implement password management policies that comply with current industry best practices, including: (i) changing all default and manufacturer-supplied passwords before deploying any new hardware, software, or other asset, to a password consistent with the password-strength requirements set out in section (ii) of this paragraph; (ii) ensuring that all Personnel use strong passwords that: (a) are a minimum length of 8 characters; (
) do not match commonly used, expected, or compromised passwords; and (c) are changed if there is evidence the password may have been compromised; (iii) storing passwords in a non-cleartext form that is resistant to offline attacks; and (iv) implementing a rate-limiting mechanism, or compensating controls, that effectively limits the number of failed authentication attempts on a user’s account to prevent brute-force attacks.
4.18 Remote access; multi-factor authentication required. Supplier shall implement multi-factor authentication (i.e., requiring at least two factors to authenticate a user) for remote access to any network, system, application, or other asset.
4.19 Access logging. For purposes of this section, “in bulk” access means accessing data by means of database query, report generation, or any other mass transfer of data. Except as expressly set forth in the Agreement or otherwise by Amazon in writing, Supplier shall not access, and will not permit access to, Amazon Information “in bulk” whether Amazon Information is in an Amazon- or Supplier-controlled database or stored using any other method, including storage in file-based archives (e.g., flat files). Supplier will implement appropriate Physical, Administrative, and Technical Safeguards—including access controls, logging, and monitoring—to prevent and detect “in bulk” access to Amazon Information. Where “in bulk” access is authorized by Amazon, Supplier shall (i) limit such access only to specified Personnel with a “need to know”, and (2) require explicit authorization and logging of all “in bulk” access. Upon Amazon’s request in coordination with Security Reviews and Audits or Security Incidents, Supplier will provide to Amazon all logs on “in bulk” access referenced in this section.
4.20 Data segregation. Supplier shall isolate Amazon Information at all times from Supplier’s and any third party information. If isolation is not possible, supplier shall ensure that Amazon Information is distinguishable from other Supplier’s information for logging, deletion, and incident response purposes.
4.21 Confidentiality, personnel security, and nondisclosure. Supplier shall take all reasonable precautions to ensure that Personnel granted access to Amazon Information will maintain the information’s confidentiality and use the data only for the Permitted Purpose. These precautions shall include, at a minimum, imposing confidentiality requirements through a nondisclosure agreement or Supplier policy. If requested in writing by Amazon, Supplier shall put in place individual nondisclosure agreements with Personnel, in a form specific by Amazon, and provide Amazon with copies of such agreements.
5. Payment security requirements. If Supplier has access to or will Process credit, debit, or other payment cardholder information, Supplier shall also comply with the latest version of the Payment Card Industry Data Security Standard (“PCI DSS”) requirements, and shall promptly implement all procedures and practices necessary to remain compliant.
6. Subcontracting. Except as expressly set forth in the Agreement or otherwise by Amazon in writing, Supplier will not subcontract or delegate any of its obligations under this Security Policy to any third party without Amazon’s prior written consent.
7. Access to Amazon Extranet and Supplier portals. Amazon may grant Supplier access to Amazon Information via web portals or other non-public websites or extranet services (“Extranet”) in connection with a Permitted Purpose. In such circumstances, Supplier shall: (i) access the Extranet and access, collect, use, view, retrieve, download or store Amazon Information from it solely for the Permitted Purpose; (ii) ensure Personnel use only the Extranet account(s) designated for each individual by Amazon and require Personnel to keep their access credentials confidential and not share them; (iii) access the Extranet only through computing or processing systems managed by Supplier in compliance with these Security Requirements; (iv) not download, mirror or permanently store any Amazon Information from any Extranet on any medium, including devices or servers; (v) terminate the account of any Personnel (if Supplier controls account provisioning) and notify Amazon no later than 24 hours after any Personnel previously authorized to access any Extranet no longer needs access to Amazon Information or are no longer Personnel.
8. Amazon Sub-Domains or URL’s. Any (sub)domain or
Supplier provides for Amazon’s sole use must not be issued or re-used by a Supplier to any third party for at least 5 years after termination or expiry of the Agreement.
9. Data Retention, Return, and Destruction. Supplier will retain Amazon Information only as necessary for a Permitted Purpose. At Amazon’s request, or upon the expiry or termination of the Agreement, Supplier shall, within 5 business days (or 30 calendar days for data in backup or online storage), return to Amazon and securely delete all copies of Amazon Information in its possession or control and shall confirm to Amazon in writing that all copies of Amazon Information have been returned and securely deleted. If Supplier is required by law to retain archival copies of Amazon Information, Supplier shall notify Amazon and shall not use archived information for any other purpose and shall remain bound by all its obligations under these Security Requirements. All Amazon Information deleted by Supplier must be securely deleted using a method following industry best practices and designed to prevent data from being recovered. If deletion is not possible, Supplier can encrypt the data and permanently and securely delete all copies of the encryption keys. Before permanently discarding or disposing of any storage media that contains or previously contained Amazon Confidential Information, Supplier will destroy it using a method designed to render the media unusable and the data unrecoverable (e.g., disintegration, incineration, pulverizing, shredding, and melting). This destruction requirement shall not apply to storage media Supplier does not have physical access to or control of, such as storage media used in a public cloud or other third party environment and, in such cases, Supplier shall ensure Amazon Confidential Information stored in the third party environment is securely deleted when no longer needed using a method following industry best practices.
10. Security Reviews and Audits. Upon Amazon’s request, Supplier shall (i) complete a new Amazon assessment questionnaire, (ii) provide evidence requested by Amazon to validate Supplier’s compliance with these Security Requirements, and (iii) permit Amazon or a third party appointed on its behalf to perform an audit of Supplier’s compliance with these Security Requirements. Supplier will promptly address any findings identified in such audit and shall, at its own expense, promptly develop and implement a corrective action plan agreed to by Amazon.
11. Security Incidents. Supplier shall (i) maintain a written incident response plan and provide copy of such plan to Amazon upon request; (ii) remedy each Security Incident in a timely manner following Supplier’s response plan and industry best practices; (iii) notify Amazon within 48 hours of becoming aware of any Security Incident; and (iv) cooperate with Amazon in its handling of a Security Incident, including (a) coordinating with Amazon on Supplier’s response plan; (
) assisting Amazon’s investigation of the Security Incident; (c) facilitating interviews with Personnel and others involved in the Security Incident or response; and (d) making available to Amazon all relevant records, logs, files, data reporting, forensic reports, investigation reports and other materials required by Amazon. Unless required otherwise by law, Supplier shall obtain Amazon’s prior written consent before (i) notifying any third party (including any regulatory authority or customer) of any Security Incident; or (ii) identifying Amazon in any notification or public statement regarding any Security Incident. Unless required otherwise by law, Amazon shall have the sole right to determine whether notice of a Security Incident is to be provided to any third party and the form and content of such notice.
12. Notice of Legal Process. Except where prohibited by law, Supplier will inform Amazon within 48 hours if Amazon Information is being sought in response to legal process or other applicable law.