Skip to main content

Amazon Data Use Addendum

  • Effective Date: April 25, 2026
  • Last Updated: April 25, 2026
  • Version: 1.0

This Amazon Data Use Addendum (the “Addendum”) supplements and is incorporated by reference into the Master Service Agreement (“MSA”) between Nagog Innovation Technology Inc. (“Nagog”) and the seller customer that has authorized Nagog’s application to access the customer’s Amazon Selling Partner data (“Seller”). This Addendum governs Nagog’s handling of Amazon Information obtained through the Amazon Selling Partner API (“SP-API”). In the event of any conflict between this Addendum and the MSA with respect to Amazon Information, this Addendum controls.

1. Definitions

For purposes of this Addendum:

  • “Amazon Information” means information that Nagog obtains from or through Amazon’s SP-API in connection with Seller’s authorization, including order metadata as described in Section 3.
  • “Authorized Purpose” means delivering customer service to Seller’s end customers, as described in Section 2.
  • “DPP” means the Amazon Data Protection Policy version 2 (or any successor version), available at https://developer-docs.amazon.com/sp-api/docs/data-protection-policy.
  • “Security Incident” means a confirmed event of unauthorized access to, use of, disclosure of, or destruction of Amazon Information.
  • “Sub-Processor” means any third party engaged by Nagog to process Amazon Information on Nagog’s behalf.

2. Scope and Authorized Purpose

Nagog will Process Amazon Information solely to deliver the Authorized Purpose. Permitted activities include:

  • Retrieving order details to respond to a customer service inquiry from Seller’s end customer
  • Confirming order status, item details, or fulfillment status during a customer service interaction
  • Identifying the order to which a customer service inquiry relates

Prohibited uses. Nagog will not, and will not permit any party acting on its behalf to:

  • Use Amazon Information to train, validate, or improve any artificial intelligence or machine learning model
  • Use Amazon Information for advertising, marketing, or any commercial purpose other than the Authorized Purpose
  • Aggregate Amazon Information across multiple sellers, anonymize it, or perform comparative analytics or benchmarking
  • Sell, rent, lease, or otherwise transfer Amazon Information to any third party
  • Use Amazon Information to compete with Seller, with Amazon, or with any other Amazon seller
  • Combine Amazon Information with information obtained from any non-Amazon source

3. Data Categories and PII Exclusion

Nagog accesses the following categories of Amazon Information:

  • Order identifier and order date
  • Order status and fulfillment status
  • Order amount, currency, and itemized totals
  • Item SKU, ASIN, quantity, and product title
  • Marketplace identifier
  • Carrier identifier and tracking reference (where available)
  • Buyer-anonymized location data limited to country and postal code prefix (where available)

Buyer PII not accessed. Nagog does not access, request, or hold:

  • Buyer name, email address, telephone number, or full shipping address
  • Amazon Restricted Data Token (“RDT”) authorizations
  • Any data field classified by Amazon as Personally Identifiable Information

If at any time Seller’s role authorization grants access to PII fields beyond the categories listed above, Nagog will not access those fields and will work with Seller to scope authorization appropriately.

4. Storage, Security, and Encryption

Nagog will maintain the following technical and organizational safeguards for Amazon Information:

  • Storage location: AWS region us-east-1 (N. Virginia, USA) only
  • Encryption at rest: AES-256 with keys managed in AWS Key Management Service (“KMS”)
  • Encryption in transit: TLS 1.2 or higher for all network communication
  • Network isolation: deployment in private VPCs with security group restrictions and a web application firewall
  • Access control: role-based access on the principle of least privilege; multi-factor authentication required for production access; access logged in tamper-resistant audit logs
  • Personnel screening: background checks for personnel with production access
  • Annual training: all personnel with access to Amazon Information complete annual training on the DPP and Nagog’s security policies

5. Sub-Processors

As of the Effective Date, Nagog engages no Sub-Processors to Process Amazon Information.

If Nagog proposes to engage a Sub-Processor for Amazon Information, Nagog will:

  • Provide Seller with written notice at least 30 days before the engagement begins
  • Identify the Sub-Processor and the scope of its processing activities
  • Bind the Sub-Processor in writing to obligations no less protective than those in this Addendum

Seller may object to a proposed Sub-Processor on reasonable grounds within 15 days of the notice. If the parties cannot resolve the objection, Seller may terminate the MSA with respect to the affected services without penalty.

6. International Data Transfers

Amazon Information is stored only in AWS region us-east-1 and is not replicated outside that region.

Nagog operates customer service personnel in the United States, India, and the Philippines. Personnel located in India and the Philippines may view Amazon Information through Nagog’s controlled remote-access infrastructure, which:

  • Uses Virtual Desktop Infrastructure (“VDI”) with no local file storage on personnel devices
  • Requires multi-factor authentication for every session
  • Disables clipboard, file transfer, and printing within the remote session
  • Logs every record accessed in tamper-resistant audit logs

Where the European Commission’s Standard Contractual Clauses (“SCCs”) or equivalent transfer mechanisms apply, Nagog will incorporate them by reference and comply with their requirements.

7. Retention and Deletion

Nagog retains Amazon Information only for as long as Seller’s authorization is active and customer service engagements are ongoing.

  • Upon Seller’s revocation of OAuth authorization in Amazon Seller Central, or upon termination of the MSA, Nagog will delete Amazon Information from production systems within 30 days
  • Backup copies will be purged through standard backup rotation within 45 days of revocation or termination
  • Nagog will issue a written Deletion Certificate to Seller within 60 days of revocation or termination, on Seller’s request

Nagog may retain Amazon Information beyond these periods only to the extent required by applicable law (for example, tax records), and only for the minimum period required.

8. Security Incident Response

Nagog maintains a written incident response plan that includes monitoring, detection, containment, notification, and remediation phases.

In the event of a confirmed Security Incident affecting Amazon Information, Nagog will:

  1. Contain the incident immediately and preserve forensic evidence
  2. Assess the scope, root cause, and impact
  3. Notify Seller and Amazon at security@amazon.com within 24 hours of confirmed detection. Notice will include: nature of the incident, categories and approximate volume of Amazon Information affected, likely consequences, and measures taken or proposed
  4. Remediate by implementing corrective actions and additional safeguards
  5. Conduct a post-incident review and provide Seller with a written root cause report within 30 days of incident closure

Where the GDPR or UK GDPR applies, Nagog will additionally notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay where required.

Nagog also maintains a policy to notify Amazon of organizational changes that materially affect Amazon Information handling within 30 days of the change.

9. Employee Obligations

All Nagog personnel with access to Amazon Information must:

  • Sign a written confidentiality agreement with terms applicable to Amazon Information
  • Pass a background check appropriate to their role and jurisdiction
  • Complete initial and annual DPP training, with attendance recorded
  • Acknowledge Nagog’s information security policies in writing
  • Have their access revoked immediately upon role change or separation

Violations of these obligations are subject to disciplinary action up to and including termination of employment or engagement.

10. Amazon as Third-Party Beneficiary

Amazon is an express third-party beneficiary of this Addendum. Amazon may enforce the terms of this Addendum directly against Nagog with respect to Amazon Information, including the Authorized Purpose limitations, prohibited-use commitments, security obligations, and incident reporting obligations.

Nagog will at all times comply with the Amazon Acceptable Use Policy, the DPP, and other Amazon policies applicable to SP-API developers. If Amazon updates the DPP or other applicable policies, Nagog will update its practices accordingly within the timelines Amazon requires.

11. Audit Rights

Seller may submit one written compliance inquiry per twelve-month period requesting Nagog’s confirmation of compliance with this Addendum. Nagog will respond within 30 days.

In lieu of on-site audit, Nagog will provide a current SOC 2 Type II report, ISO 27001 certificate, or equivalent independent security assessment report on request and subject to a confidentiality agreement.

Amazon retains audit rights under the DPP. Nagog will cooperate with Amazon-initiated audits in accordance with the DPP.

12. Seller’s Representations

Seller represents and warrants that:

  • Seller has authority to authorize Nagog’s access to Seller’s Amazon Selling Partner account
  • Seller’s authorization scope passed to Nagog through SP-API is limited to the data fields necessary for the Authorized Purpose
  • Seller will not pass through Nagog any Amazon information that Seller does not have authority to share
  • Seller is and will remain compliant with applicable Amazon Seller policies

13. Term, Termination, and Contact

Term. This Addendum takes effect when Seller authorizes Nagog’s application via SP-API and remains in effect until termination of the MSA or revocation of authorization, whichever is earlier.

Survival. Sections 2 (Authorized Purpose limitations), 7 (Retention and Deletion), 10 (Amazon as Third-Party Beneficiary), and any obligations relating to Security Incidents that occurred during the Term survive termination.

Amendments. Nagog may update this Addendum to reflect changes to the DPP or applicable law. Material amendments will be communicated to Seller at least 30 days before they take effect. Seller’s continued use of services after the effective date constitutes acceptance.

Contact. Notices and inquiries under this Addendum should be sent to:

Nagog Innovation Technology Inc.
394 Lowell St
Lexington, MA 02420
United States
Email: info@nagoginnovation.com