Data Protection Policy

Last Updated: March 2026

Color Papers India Private Limited is committed to protecting the confidentiality, integrity, and availability of all data we process — including data obtained through third-party marketplace APIs such as the Amazon Selling Partner API (SP-API). This Data Protection Policy outlines the technical and organizational measures we implement to safeguard data.

1. Scope

This policy applies to all data processed by Color Papers India Private Limited, including:

• Customer personal data and Personally Identifiable Information (PII)
• Marketplace order data, product data, and financial data obtained through APIs
• Amazon SP-API data including buyer information, order details, seller account data, and tax-related data (GST details, tax rates, HSN/SAC codes, tax invoice data)
• Business partner and supplier information
• Internal business data and employee information

2. Data Classification

We classify data into the following categories to apply appropriate protection levels:

• Highly Sensitive: PII (customer names, addresses, phone numbers, emails), payment information, API credentials, authentication tokens
• Sensitive: Order details, pricing data, inventory levels, business financial data, tax invoices, GST/TCS reports, tax remittance records
• Internal: Business communications, operational data, internal reports
• Public: Published website content, marketing materials

3. Encryption Standards

Data in Transit

• All data transmitted over networks is encrypted using TLS 1.2 or higher
• API communications use HTTPS exclusively — no unencrypted HTTP connections are permitted
• Certificate validity is monitored and renewed before expiration

Data at Rest

• All sensitive and highly sensitive data is encrypted at rest using AES-256 encryption
• Database storage uses encrypted volumes
• Backups are encrypted using the same standards as primary storage
• Encryption keys are managed securely and rotated periodically

4. Access Controls

• Role-Based Access Control (RBAC): Access to data is granted based on job function and the principle of least privilege
• Multi-Factor Authentication (MFA): All systems containing sensitive data require MFA for access
• Unique Credentials: Each authorized user has unique login credentials — shared accounts are prohibited
• Access Reviews: User access permissions are reviewed quarterly and revoked immediately upon role change or departure
• PII Access: Access to customer PII (especially Amazon buyer data) is restricted to personnel who require it for order fulfillment or customer service — on a strict need-to-know basis

5. Network Security

• Firewalls are configured to restrict inbound and outbound traffic to authorized services only
• Intrusion detection and prevention systems (IDS/IPS) monitor for suspicious activity
• Network segmentation isolates sensitive data environments from general-purpose systems
• Regular vulnerability scanning and penetration testing is conducted

6. Data Storage & Logging

• PII is never stored in application logs, debug logs, or error logs
• Log files are stored securely with restricted access and retained for 90 days
• Comprehensive audit trails track all access to sensitive data including who accessed what data and when
• API credentials and tokens are stored in secure vaults — never in source code or configuration files

7. Data Retention & Deletion

• Data is retained only as long as necessary for its intended business purpose
• Amazon marketplace order data is retained for a maximum of 24 months
• Tax invoices and tax remittance records are retained for the period required by applicable tax laws (minimum 6 years under Indian GST regulations)
• Customer PII is deleted or anonymized within 30 days of it no longer being needed for order fulfillment
• Upon receiving a deletion request from Amazon, a seller, or a customer, we delete the relevant data within 10 business days
• Deletion is performed securely — data is permanently removed from all active systems and backups within 30 days

8. Incident Response Plan

We maintain a documented incident response procedure for data breaches and security incidents:

• Detection: Automated monitoring systems detect anomalies and potential breaches in real-time
• Containment: Immediate steps are taken to contain the breach and prevent further data exposure
• Assessment: The scope, cause, and impact of the breach are assessed within 12 hours
• Notification: Amazon is notified within 24 hours of discovering a breach involving Amazon data. Affected customers and regulatory authorities are notified as required by applicable law
• Remediation: Root cause analysis is conducted and preventive measures are implemented
• Documentation: All incidents are documented with timelines, impact assessment, and remediation steps

9. Employee Training & Awareness

• All employees who handle sensitive data receive data protection training upon onboarding and annually thereafter
• Training covers: data classification, handling PII, security best practices, phishing awareness, and incident reporting
• Employees handling Amazon SP-API data receive additional training on Amazon's Data Protection Policy requirements
• Non-disclosure agreements (NDAs) are in place for all employees and contractors

10. Third-Party Data Processing

• Third-party service providers who access or process data on our behalf are vetted for security compliance
• Data Processing Agreements (DPAs) are in place with all third-party processors
• Third parties are required to maintain security standards equivalent to our own
• We do not share Amazon customer PII with any unauthorized third parties

11. Physical Security

• Office premises and warehouse facilities have controlled access
• Servers and IT infrastructure are hosted in secure data centers with physical access controls, CCTV monitoring, and environmental controls
• Sensitive documents are stored securely and disposed of through secure shredding

12. Compliance & Audits

• We comply with Amazon's Data Protection Policy (DPP) and complete security self-assessments as required
• We comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and Information Technology Act, 2000
• We comply with GDPR requirements where applicable for EU data subjects
• Internal security audits are conducted annually
• This policy is reviewed and updated at least annually or whenever significant changes occur

13. Contact

For questions about our data protection practices or to report a security concern:

Color Papers India Private Limited
Email: connect@cpipl.ltd
General: connect@cpipl.ltd
Phone: +91 63911 11662
Address: Ground Floor, 1st, 2nd & 3rd Floor Vrindavan Building, Thane, Maharashtra, India - 401107