Data Protection Policy

Last Updated: March 2026

Color Papers is committed to protecting the confidentiality, integrity, and availability of all data we process — including data obtained through third-party marketplace APIs such as the Amazon Selling Partner API (SP-API). This Data Protection Policy outlines the technical and organizational measures we implement to safeguard data.

1. Scope

This policy applies to all data processed by Color Papers, including:

• Customer personal data and Personally Identifiable Information (PII)
• Marketplace order data, product data, and financial data obtained through APIs
• Amazon SP-API data including buyer information, order details, seller account data, and tax-related data (GST details, tax rates, HSN/SAC codes, tax invoice data)
• Business partner and supplier information
• Internal business data and employee information

2. Data Classification

We classify data into the following categories to apply appropriate protection levels:

• Highly Sensitive: PII (customer names, addresses, phone numbers, emails), payment information, API credentials, authentication tokens
• Sensitive: Order details, pricing data, inventory levels, business financial data, tax invoices, GST/TCS reports, tax remittance records
• Internal: Business communications, operational data, internal reports
• Public: Published website content, marketing materials

3. Encryption Standards

Data in Transit

• All data transmitted over networks is encrypted using TLS 1.2 or higher
• API communications use HTTPS exclusively — no unencrypted HTTP connections are permitted
• Certificate validity is monitored and renewed before expiration

Data at Rest

• All sensitive and highly sensitive data is encrypted at rest using AES-256 encryption
• Database storage uses encrypted volumes
• Backups are encrypted using the same standards as primary storage
• Encryption keys are managed securely and rotated periodically

4. Access Controls

• Role-Based Access Control (RBAC): Access to data is granted based on job function and the principle of least privilege
• Multi-Factor Authentication (MFA): All systems containing sensitive data require MFA for access
• Unique Credentials: Each authorized user has unique login credentials — shared accounts are prohibited
• Access Reviews: User access permissions are reviewed quarterly and revoked immediately upon role change or departure
• PII Access: Access to customer PII (especially Amazon buyer data) is restricted to personnel who require it for order fulfillment or customer service — on a strict need-to-know basis

5. Network Security

• Firewalls are configured to restrict inbound and outbound traffic to authorized services only
• Intrusion detection and prevention systems (IDS/IPS) monitor for suspicious activity
• Network segmentation isolates sensitive data environments from general-purpose systems
• Regular vulnerability scanning and penetration testing is conducted

6. Data Storage & Logging

• PII is never stored in application logs, debug logs, or error logs
• Log files are stored securely with restricted access and retained for 90 days
• Comprehensive audit trails track all access to sensitive data including who accessed what data and when
• API credentials and tokens are stored in secure vaults — never in source code or configuration files

7. Data Retention & Deletion

• Data is retained only as long as necessary for its intended business purpose
• Amazon marketplace order data is retained for a maximum of 24 months
• Tax invoices and tax remittance records are retained for the period required by applicable tax laws (minimum 6 years under Indian GST regulations)
• Customer PII is deleted or anonymized within 30 days of it no longer being needed for order fulfillment
• Upon receiving a deletion request from Amazon, a seller, or a customer, we delete the relevant data within 10 business days
• Deletion is performed securely — data is permanently removed from all active systems and backups within 30 days

8. Incident Response Plan

We maintain a documented incident response procedure for data breaches and security incidents:

• Detection: Automated monitoring systems detect anomalies and potential breaches in real-time
• Containment: Immediate steps are taken to contain the breach and prevent further data exposure
• Assessment: The scope, cause, and impact of the breach are assessed within 12 hours
• Notification: Amazon is notified within 24 hours of discovering a breach involving Amazon data. Affected customers and regulatory authorities are notified as required by applicable law
• Remediation: Root cause analysis is conducted and preventive measures are implemented
• Documentation: All incidents are documented with timelines, impact assessment, and remediation steps

9. Employee Training & Awareness

• All employees who handle sensitive data receive data protection training upon onboarding and annually thereafter
• Training covers: data classification, handling PII, security best practices, phishing awareness, and incident reporting
• Employees handling Amazon SP-API data receive additional training on Amazon's Data Protection Policy requirements
• Non-disclosure agreements (NDAs) are in place for all employees and contractors

10. Third-Party Data Processing

• Third-party service providers who access or process data on our behalf are vetted for security compliance
• Data Processing Agreements (DPAs) are in place with all third-party processors
• Third parties are required to maintain security standards equivalent to our own
• We do not share Amazon customer PII with any unauthorized third parties

11. Physical Security

• Office premises and warehouse facilities have controlled access
• Servers and IT infrastructure are hosted in secure data centers with physical access controls, CCTV monitoring, and environmental controls
• Sensitive documents are stored securely and disposed of through secure shredding

12. Compliance & Audits

• We comply with Amazon's Data Protection Policy (DPP) and complete security self-assessments as required
• We comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and Information Technology Act, 2000
• We comply with GDPR requirements where applicable for EU data subjects
• Internal security audits are conducted annually
• This policy is reviewed and updated at least annually or whenever significant changes occur

13. Contact

For questions about our data protection practices or to report a security concern:

Color Papers
Email: privacy@colorpapers.in
General: support@colorpapers.in
Phone: +91 94296 93042
Address: 3rd Floor, Vrindavan Building, Om Saidham Mandir Marg, Survey No. K-3970, Opp. Namaskar Restaurant, Mira Road East, Mira Bhayandar, Thane, Maharashtra 401107, India