Security and Data Handling

1. Scope This page describes how TaxRouter handles Amazon seller data and related customer information for the public TaxRouter application and website. It is intended to summarize TaxRouter's security and data-handling baseline for customers, reviewers, and marketplace partners. 2. Why TaxRouter may require restricted Amazon roles TaxRouter is built to synchronize Amazon source data and generate DATEV-oriented accounting exports for authorized sellers, finance teams, and tax advisors. In some workflows, TaxRouter may need access to restricted Amazon data elements that are necessary to reconcile settlement lines with underlying transactions, validate VAT treatment, populate export references, and investigate support cases for the seller that authorized the connection. TaxRouter requests restricted access only for the seller workspaces that explicitly authorize it and does not use restricted Amazon data for advertising, resale, enrichment, or cross-customer profiling. 3. Data governance TaxRouter processes Amazon information only to provide the contracted service. This includes collecting and receiving seller-authorized Amazon source data, processing it to normalize imports and generate exports, storing it for the minimum operational period required by the service and applicable law, sharing it only with authorized users and subprocessors that operate the service, and deleting or returning data when the customer relationship ends or retention obligations expire. As a rule, the customer remains the controller for customer workspace content and TaxRouter acts as the processor for that data. 4. Categories of Amazon and related data The service may process seller-authorized Amazon report data, settlement data, VAT transaction data, order-linked accounting references, restricted fields required for reconciliation or VAT evidence, organization and workspace configuration data, user account data, and technical security logs. TaxRouter limits internal access to personnel and systems that require the data to operate, secure, support, or troubleshoot the service. 5. Encryption and storage at rest TaxRouter stores production data only in managed systems used to run the service. Data in transit is protected with HTTPS and TLS. Amazon information stored at rest is protected through provider-managed encryption controls and application-level access restrictions. Secrets and tokens are restricted to the services and staff roles that need them for the approved workflow. Exact infrastructure vendor and key-management details are maintained in internal security documentation and can be provided to Amazon as part of the review process where appropriate. 6. Data retention, backups, and recovery TaxRouter applies data-minimization and retention controls to Amazon information and works to keep restricted data only as long as needed for the authorized accounting workflow, customer support, legal obligations, and security operations. Encrypted backups are maintained separately from the primary production runtime so service data can be restored after an incident. Restore procedures are documented for operational recovery. The exact backup region, Recovery Time Objective, and Recovery Point Objective depend on the active infrastructure configuration and are maintained in internal operations documentation used during recovery and customer support. 7. Logging and monitoring TaxRouter maintains operational and security logging for authentication activity, access control changes, integration activity, processing events, application errors, and suspicious behavior indicators where available. Logs are used to investigate incidents, support troubleshooting, and improve service integrity. Access to logs is limited to authorized personnel with a legitimate operational or security need. 8. Incident response and risk management TaxRouter follows an incident response process that covers preparation, identification, containment, eradication, recovery, and post-incident review. Security events are escalated internally, investigated, documented, and tracked through remediation. Where required by law, contract, or Amazon policy, TaxRouter notifies affected parties and Amazon within the applicable timeline. Risk management includes periodic review of access paths, infrastructure changes, third-party dependencies, and operational safeguards. 9. Credential management Systems that handle Amazon information must use unique credentials, least-privilege access, controlled onboarding and offboarding, and multi-factor authentication where supported or required. The TaxRouter application itself requires two-factor authentication for signed-in users before they can use protected workspaces. Administrative access is restricted and reviewed as part of normal operations. 10. Vulnerability management TaxRouter tracks security findings from dependency alerts, code review, operational monitoring, infrastructure review, and any formal testing that is performed. Findings are prioritized by severity, assigned to an owner, and tracked until remediation, mitigation, or documented risk acceptance. High-severity issues are handled on an accelerated timeline, and remediation status is reviewed until closure. 11. Public contact for security and privacy questions Questions about privacy, security, incident reporting, or Amazon marketplace review can be sent to info@taxrouter.com.