HomeDocumentationCode SamplesAPI ReferenceAnnouncementsModelsRelease NotesFAQGitHubVideos
Developer HubAPI StatusSupport
Announcements
Developer HubAPI StatusSupport
Back to All

Updates to the Data Protection Policy and Acceptable Use Policy

November 10th, 2025 by JackE_Amazon

Effective November 25, 2025, we are updating the Data Protection Policy (DPP) and the Acceptable Use Policy (AUP). These updates may require changes to your existing security controls.

Your continued use of Amazon Services API after November 25, 2025 constitutes your acceptance of the updated agreement and policies. The following sections list the changes to the DPP and new resources for SP-API solution providers. To review the entirety of the updates, refer to the updated agreement and policies upon publication.

Data Protection Policy (DPP) changes

  • Updated the term "Developer" to "Solution Provider" throughout the Data Protection Policy and Acceptable Use Policy, and added the definitions "Amazon Partners", "Service Provider" and "Solution Provider."
  • Updated network protection requirements to include controls to prevent anti-virus/malware software disablement.
  • Updated access management requirements to include account lockout after ten unsuccessful login attempts.
  • Updated credential management requirements to include password history retention for the last ten passwords and API key rotations.
  • Updated encryption requirements to include Transport Layer Security (TLS) 1.2+ and Key Management System (KMS) implementation.
  • Updated incident response requirements to include mandatory designation of a readily available Incident Management Point of Contact (IMPOC) during data leakage and security breach events.
  • Added that non-PII data must not be stored for longer than with 18 months, unless longer retention is legally required.
  • Updated the minimum log retention requirement to 12 months.
  • Updated vulnerability management requirements to include:
    • Critical vulnerability resolution within seven days of discovery.
    • High-risk vulnerability resolution within 30 days of discovery.
    • Geographically dispersed backup requirements.
  • Updated audit cooperation requirements to include Amazon's affiliates, agents, representatives, contractors, and subcontractors.
  • Added subcontractor requirement that mandates third-party risk assessments for vendors and subcontractors.
  • Added definitions for the terms "Amazon Partners", "Service Provider" and "Solution Provider."

Acceptable Use Policy (AUP) change

  • Updated the term "Developer" to "Solution Provider".

Which stores are affected?

This change applies to all stores.

For more information

To learn more, refer to the Data Protection Policy (DPP).