Updates to the Data Protection Policy and Acceptable Use Policy
October 27th, 2025 by Andie
The Data Protection Policy (DPP) and the Acceptable Use Policy (AUP) will be updated on November 11, 2025. These updates may require changes to your existing security controls.
Your continued use of the Selling Partner API after November 11, 2025 constitutes your acceptance of the updated agreement and policies. The following sections list the changes to the DPP and new resources for SP-API solution providers. To review the entirety of the updates, refer to the updated agreement and policies upon publication.
Data Protection Policy (DPP) changes
- Updated the term "Developer" to "Solution Provider".
- Updated network protection requirements to include controls to prevent anti-malware software disablement.
- Updated access management requirements to include account lock out after ten unsuccessful login attempts.
- Updated credential management requirements to include password history retention for the last ten passwords and API key rotations.
- Updated encryption requirements to include Transport Layer Security (TLS) 1.2+ and Key Management System (KMS) implementation.
- Updated incident response requirements to include mandatory designation of a readily available Incident Management Point of Contact (IMPOC) during data leakage and security breach events.
- Added non-PII data deletion requirements with 18 months, unless longer retention is legally required.
- Updated the minimum log retention requirement to 12 months.
- Updated vulnerability management requirements to include:
- Critical vulnerability resolution within seven days of discovery.
- High-risk vulnerability resolution within 30 days of discovery.
- Geographically dispersed backup requirements.
- Updated audit cooperation requirements to include Amazon's affiliates, agents, representatives, contractors, and subcontractors.
- Added subcontractor requirement that mandates third-party risk assessments for vendors and subcontractors.
- Added definitions for the terms "Amazon Partners", "Service Provider" and "Solution Provider."
Acceptable Use Policy (AUP) change
- Updated the term "Developer" to "Solution Provider".
New Data Protection Policy (DPP) resources for SP-API solution providers
- Use the Amazon Data Protection Policy (DPP) Compliance Self-Check Assessment to evaluate your compliance status and identify potential gaps before formal assessments.
- Sign up for the SP-API Data Protection Policy Updates Webinar, which provides a comprehensive overview of the updates and detailed explanations of new security requirements, data handling procedures, and compliance obligations. The 30-minute session features best practices for compliance and includes an interactive Q&A session.
Which stores are affected?
This change applies to all Amazon regional stores.
For more information
To learn more:
- Refer to the Data Protection Policy (DPP).
- Take the Amazon Data Protection Policy (DPP) Compliance Self-Check Assessment
- Register for the SP-API Data Protection Policy Updates Webinar.