Privacy Notice for UAB 1stopVAT Use of Amazon Services API
Last updated: 15 September, 2023
Under applicable data protection laws, we are obligated to inform individuals about their personal data processing and we fulfil this obligation within this Privacy Notice which explains how we collect, use and protect personal data within the scope of Amazon Services API in accordance with the General Data Protection Regulation No. 2016/679 (“GDPR”) and/or other applicable statutory regulations.
Please note, that this Privacy Notice is specifically designed for UAB 1stopVAT use of Amazon Services API and explains how UAB 1stopVAT (“we” or “1stopVAT”) processes and protects personal data of clients and end-users collected using Amazon Services API.
Agreement – Service agreement, Terms of Service and all schedules, order forms and addenda specifically referenced therein, concluded by UAB 1stopVAT and Client.
Client – a contracting entity identified in the Agreement.
Data Controller – natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data – any information relating to an identified or identifiable natural person. For the avoidance of doubt, it is clarified that, within the context of this Privacy Notice, the term “Personal data” is used synonymously with “PII” (Personal Identifiable Information).
Services – any and all services provided by UAB 1stopVAT in accordance with, and as defined in the Agreement.
2. DATA CONTROLLER
UAB 1stopVAT is the Data Controller in respect of all personal data described in this Privacy Notice. Our contact details:
Registration code: 305405450
Address: Ozo str. 12A-1, 08200 Vilnius, Lithuania
Contact details: [email protected]
3. WHAT PERSONAL DATA DO WE COLLECT AND WHY?
|Purpose||Type of Data||Legal Basis||Retention Period|
|3.1 Provision of 1stopVAT services||We collect the following data through Amazon API: |
– client’s unique code on the Amazon platform;
– sales data for the respective period;
– product name, quantities, codes, amounts, categories, etc.
– place of storage of goods (city and country only);
– VAT codes available to the client;
– sales invoice numbers;
– place of delivery of goods (city and country only)
– For B2B: name and VAT code of the organization, city and ZIP code for the delivery location of goods.
– For B2C: city and ZIP code for the delivery location of goods.
|The processing of this data is necessary to fulfil our contractual obligations while providing our services (Article 6(1)(b) of the GDPR)|
Processing is necessary for compliance with a legal obligation (Article 6(1)(c) of the GDPR)
Legitimate interest (Article 6(1)(f) of the GDPR)
|We retain this data as long as it is necessary for the proper and complete provision of services in accordance with the Agreement. We may continue to retain some information even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims).|
|3.2 To handle support tickets or other queries submitted by Client||We collect all data along with any communication and messages Client sends to us (including the time they were received / submitted) via the support ticket or other query.||We have a legitimate interest to answer to submitted questions and requests in accordance with the Article 6(1)(f) of the GDPR||If Personal Data is part of the customer support ticket or other query, this data is deleted once the support ticket or other query is closed.|
Other data (not Personal Data) is retained for 5 years after a ticket is closed. We may continue to retain some information, even after this time if we are required to do so in order to comply with applicable laws or on the basis of justified interests (e.g., retention for asserting claims).
4. WHO DO WE DISCLOSE YOUR PERSONAL DATA TO WITHIN AND OUTSIDE THE EEA?
Where necessary, we may transfer and/or otherwise disclose your personal data to the law enforcement authorities, regulatory bodies, courts and other authorised governmental bodies.
To the extent necessary to ensure the proper provision of our services, we also may transfer and/or otherwise disclose personal data to third parties involved in the processing activities – partners and external service providers (e.g., software, IT infrastructure maintenance, cloud service providers, web hosting and web support, servers rent and maintenance, electronic communications, accounting, archiving, etc.). For all of these service providers, we will only provide as much data as it is necessary to perform a particular service.
We may transfer your personal data outside the EEA but only based on appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the EEA. That is, we may transfer your personal data based on an adequacy decision by the European Commission, EU Commission’s approved Standard Contractual Clauses (SCCs), EU-US Data Privacy Framework or using other possible safeguards and derogations where it is allowed by the applicable laws. Please reach out to us via [email protected] for detailed information about your personal data transfers outside of the EEA.
5. HOW DO WE PROTECT YOUR PERSONAL DATA?
When processing and storing your personal data, we implement organisational and technical measures to ensure that personal data is protected against accidental or unlawful destruction (e.g., backups on a regular schedule), alteration, disclosure, and any other unlawful processing. Technical and organisational measures implemented by 1stopVAT are described in Annex A of this Privacy Notice.
6. YOUR RIGHTS
Under the GDPR you have the following rights:
- Know (be informed) about the processing of your personal data (Articles 12-14 of the GDPR);
- Access your personal data that is being processed (Article 15 of the GDPR);
- Request the correction of inaccurate personal data relating to you (Article 16 of the GDPR);
- Request the deletion of personal data relating to you (“the right to be forgotten”) (Article 17 of the GDPR). Please note! You have the right to be forgotten only if it can be justified by one of the following reasons: (i) personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) you do not consent to the processing under Article 21 (1) of the GDPR and there are no overriding legitimate reasons for processing.
- Restrict data processing (Article 18 of the GDPR). Please note! You have the right to restrict the processing of your data only if: (i) personal data is inaccurate; (ii) the processing of personal data is unlawful, but you do not consent to the erasure of the data; (iii) we no longer need your personal data to fulfil our purpose, but it is necessary for you to assert, enforce or defend legal requirements; (iv) you object to the processing under Article 21 (1) of the GDPR unless the legitimate reasons of 1stopVAT override your own.
- Transfer your personal data when the processing is based on consent or contract and the data is processed by automated means (Article 20 of the GDPR);
- Object to the processing of personal data for reasons specific to your case where the processing is in the legitimate interests of 1stopVAT or of a third party, unless we prove that the processing is for compelling legitimate reasons overriding your interests, rights and freedoms, or for the purpose of asserting, enforcing or defending legal requirements (Article 21 of the GDPR).
If you believe that 1stopVAT is unlawfully processing your personal data or is not implementing your rights, you have the right to file a complaint with the competent Data Protection Authority or to make a claim against 1stopVAT with a competent court (either in the country where you live, the country where you work or the country where you deem that data protection law has been infringed).
Contact details for State Data Protection Inspectorate, the supervisory data protection authority in Lithuania: L. Sapiegos street 17, 10312 Vilnius, (8 5) 271 2804, 279 1445, [email protected]. You can find contact details of other competent authorities within the EU, here.
You can exercise rights over your data by reaching out to: [email protected].
7. OUR DATA PROTECTION OBLIGATIONS
For the processing of personal data collected using Amazon Services API, 1stopVAT:
- Ensures that personal data collected using Amazon Services API is processed in accordance with the GDPR and other applicable statutory regulations, governing processing of personal data;
- Ensures that personal data collected using Amazon Services API is processed in accordance with the applicable regulations and policies of Amazon (including but not limited to Amazon Acceptable Use Policy);
- Ensures that personal data collected using Amazon Services API is processed only to the extent necessary for the provision of Services and only for as long as it is strictly necessary for the performance of Services;
- Undertakes to keep the personal data received using Amazon Services API strictly confidential and not to use or publish the data for any purpose other than for the purposes of the performance of Services. 1stopVAT shall also ensure that the persons authorized to process personal data, who have access to personal data obtained during the performance of Services have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All 1stopVAT employees, involved in the processing of the personal data, are trained on how to process Personal data in compliance with the applicable data protection requirements and legal obligations;
- Informs Amazon via [email protected] within 30 days of any organizational changes or events that change 1stopVAT organization’s need for or use of information (including personal data) collected using Amazon Services API;
- Shall not request access to or retrieve information (including personal data) using Amazon Services API that is not necessary for 1stopVAT applications’ functionality.
If you have any questions about this Privacy Notice or about your personal data processing, please contact us by email: [email protected].
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The following sections define 1stopVAT current technical and organizational security measures. 1stopVAT may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting personal data.
|1. Network Security and Sensitive Information|
|1.1. 1stopVAT ensures that no database, web servers, or application servers containing sensitive information (personal data, financial records, and confidential business information) are located within 1stopVAT network itself.|
|2. Zero-Trust Network|
|2.1. 1stopVAT office network is maintained as a “zero-trust” network, meaning that Clients have internet access only and should not assume any inherent trust within the network.|
|2.2. 1stopVAT takes measures to adequately protect the office network from unauthorized use and intrusion attempts to maintain its integrity.|
|3. Guest Access|
|3.1. Guest access to 1stopVAT network is password-protected and is kept separate and isolated from the “native” network. Clients accessing the network as guests are subject to specific access limitations.|
|4. Limited Access to Sensitive Information|
|4.1. Clients who are part of the “native” network do not automatically gain access to sensitive information solely based on their connection to the network.|
|5. Access Authorization|
|5.1. While 1stopVAT office network is protected from intrusion and employs threat monitoring measures, it is considered a public network.|
|5.2. Access to 1stopVAT information systems, including sensitive information, requires additional authorization each time such information is accessed. Clients must adhere to 1stopVAT access control policies and procedures.|
|6. General Terms and Responsibilities|
|6.1. Clients are contractually obligated to comply with all applicable laws and regulations while accessing 1stopVAT network and information systems.|
|6.2. Clients are contractually responsible for maintaining the confidentiality of their login credentials, passwords, and any other authentication information used to access 1stopVAT network.|
|6.3. Clients are contractually prohibited to engage in any activities that may disrupt, damage, or compromise the integrity of 1stopVAT network, information systems, or the data contained therein.|
|6.4. 1stopVAT contractually reserves the right to monitor network traffic, access, and usage for security and compliance purposes. Clients contractually consent to such monitoring.|
|7. Password Management Policy|
|7.1. Minimum Password Age and Inactivity Lock|
Passwords for the employees’ computers must have a minimum age of 1 day. This means users cannot change their password again until at least one day has passed since their last password change. This prevents frequent password changes and encourages stronger, long-term password choices. Computers automatically lock after 5 minutes of inactivity. This ensures that unauthorized individuals cannot access an unattended computer, adding an extra layer of security.
|7.2. Password Generation, Minimum Password Requirements, Monitoring for Old and Duplicate Passwords (NordPass)|
All Windows passwords is generated using NordPass program. NordPass offers a secure password generator that can create strong and complex passwords, helping to mitigate the risk of password-related security breaches. Passwords must adhere to NordPass’s minimum password requirements, as outlined on their website. These requirements typically include a combination of upper- and lower-case letters, numbers, and special characters. NordPass configured to monitor and alert users when they have old or duplicate passwords. This encourages users to update their passwords regularly and avoid using the same password for multiple accounts, enhancing security.
|7.3. Regular Password Changes and Account Lockout Policies|
Users required to change their passwords periodically (e.g., every 90 days). Frequent password changes reduce the risk of compromised passwords over time.
1stopVAT has a multi-factor authentication for accessing sensitive systems and data. MFA adds an additional layer of security by requiring users to provide two or more forms of verification before granting access. 1stopVAT has account lockout policies that temporarily lock user accounts after a certain number of failed login attempts. This helps prevent brute force attacks.
|7.4. User Education, Security Auditing and Compliance|
1stopVAT regularly educates employees about security best practices, including password hygiene and the importance of data protection, regularly audits internal systems for compliance with these security rules, ensuring that employees are following the established security policies and make necessary adjustments based on audit findings.
|8. Baseline Standard Configuration|
|8.1. The procedure for maintaining a baseline standard configuration of software for information systems used by 1stopVAT employees:|
The purpose of this procedure is to standardize systems, enhance security, and ensure compliance with 1stopVAT policies. This procedure applies to all company-owned workstations, including servers, applications, network devices, databases, and web servers. It covers both the baseline set of software and the extended set for specific duties as outlined below.
1. Baseline Set of Workstation Software
The baseline set of workstation software is deployed to all employees’ workstations and consists of the following components:
Operating System: Windows 10/11 Professional.
Office Suite: Microsoft Office 2016/2019/2021, including Word, Excel, PowerPoint, and Outlook.
PDF Reader: Adobe Acrobat Reader.
Web Browser: Google Chrome (set as default for greater compatibility with Google platforms).
Media Player: VideoLAN media player.
Antivirus Software: ESET Endpoint Security.
Email Integration: Google Workspace Sync for Microsoft Outlook.
File Sync and Backup: Google Drive for Desktop.
Instant Messaging: Telegram Desktop messenger.
Printer Software: Konica Minolta BizHub C250i Printer driver.
Archiving Tool: WinRAR archiver.
2. Extended Set for Specific Duties
In addition to the baseline software, employees may require access to the extended set of software based on their specific job duties. Authorization for installing and using these applications must be obtained from 1stopVAT management. The extended set includes:
VPN Software: NordVPN and Surfshark VPN software (for secure remote access).
Password Management: NordPass password management utility.
PDF Editing: Adobe Acrobat Professional (for PDF editing and creation).
Screen Capture Tool: Screenpresso screen capture tool for Windows
3.1. Deployment of Baseline Software
The System Administrator is responsible for preparing workstations with the baseline software configuration.
Upon issuing a new computer to an employee, the System Administrator installs the baseline software.
The employee is not authorized to install any additional software without prior approval from 1stopVAT management.
3.2. Requesting Extended Software
Employees requiring access to the extended set of software for specific job duties must submit a request to their supervisor.
The supervisor reviews the request and forwards it to the appropriate department head for approval.
The department head approves or denies the request based on business needs and security considerations.
Approved requests are then forwarded to the IT department for software installation.
4. Compliance and Monitoring
The IT department is responsible for monitoring compliance with this baseline configuration procedure.
Regular audits may be conducted to ensure that employees are not using unauthorized software.
5. Revision of Baseline Configuration
The baseline configuration of software may be revised periodically to accommodate updates and changes in software requirements.
Any changes to the baseline configuration will be documented and communicated to all relevant parties.