*** In order to use the Channel Spyder website, you must agree to the following. ***
Channel Spyder Data Handling Policy
Channel Spyder standard operating policy includes controls to manage risk to the confidentiality, integrity and availability of sensitive data in any form and represent a minimum standard for protection of this data. Controls required under applicable laws, regulations, or standards governing Personally Identifiable Information "PII" also apply. Each individual who creates, uses, processes, stores, transfers, administers, and/or destroys sensitive Data within Channel Spyder is responsible and accountable for complying with these standards.
Data Records within the Channel Spyder Application are primarily created via secure data acquisition from an online Marketplace (Amazon, eBay, Walmart, etc) or website. These data records are occasionally created or edited by the Seller who owns & operates the online store on said marketplace or website. Virtually all records include PII and are used to fulfill product orders for online Buyers.
It is essential that all records are created and maintained appropriately throughout their entire life cycle. Personally Identifiable Information (PII) contained in Channel Spyder's data records constitutes an area of critical concern because of the severe risk to Channel Spyder, its clients and connectivity partners should records be mishandled or information inappropriately accessed or disclosed. As a consequence, records containing sensitive information & PII should exist only in areas where there is a legitimate and justifiable business need.
The Channel Spyder Application uses a unique ID assigned to each individual with computer access to Sensitive Information. Under no circumstances do we create or use generic, shared, or default login credentials or user accounts. We have implemented baselining mechanisms to ensure that at all times only the required user accounts have access Sensitive Information. We review the list of people and services with access to Sensitive Information on a monthly basis and remove accounts that no longer require access. We restrict employees from accessing or storing Sensitive data on personal devices. We maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts and disabling accounts with access to Sensitive Information as needed.
All Channel Spyder Application servers and systems employ AWS VPC subnet/Security Groups as well as network firewall network protection controls for the purpose of denying access to unauthorized IP addresses. Public access is restricted to approved users only.
Encryption and Storage
All PII is encrypted at rest using AES-256 industry standards. All cryptographic materials (encryption/decryption keys) and cryptographic capabilities used for encryption of PII at rest are only accessible to the Channel Spyder system processes and services. We do not store PII in removable media (USB, Flash Drives, Etc.) or unsecured public cloud applications (Google Drive, Drop Box, Etc). No documents containing PII are ever printed on paper.
Encryption in Transit
The Channel Spyder Application encrypts all Sensitive Information in transit, when the data traverses a network, or is otherwise sent between hosts using HTTP over TLS (HTTPS). We enforce this security control on all applicable external endpoints used by customers as well as internal communication channels and during operational tooling. We don't use communication channels which do not provide encryption in transit even if unused. In addition, the Channel Spyder Application uses message-level encryption where channel encryption terminates in untrusted multi-tenant hardware.
Data Retention and Recovery
We retain PII only for the purpose of fulfilling product orders on behalf of our clients (online Sellers). This retention period is for no more than 30 days ("Hold Period") from shipment and online confirmation of delivery to the Buyer (our client's Customer). Channel Spyder is not required by law to retain archival copies of PII, therefore beyond the 30-day Hold Period, we do not maintain backup media of any kind for PII. In the event that PII is lost, erased or unavailable for processing due to system crash or ransomware during the 30-day Hold Period, Channel Spyder maintains a backup copy of all PII. This copy is encrypted and meets all security requirements noted in this policy. All security backups are purged with the original at the end of the 30-day Hold Period.
Least Privilege Principle
Channel Spyder employs fine-grained access control mechanisms when granting rights to any party using the Application, as well as the Application's operators, following the principle of least privilege. Application sections or features that vend PII are protected under a unique access role, and access is only granted on a "need-to-know" basis.
PO Box 2166
Yorba Linda, CA 92885