Last updated: 29 April 2026
This policy applies to all SLASHMENTAL LTD systems that process client information, including data accessed through the Amazon Selling Partner API. It is aligned with the Amazon Data Protection Policy and Acceptable Use Policy.
Encryption. All client data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. API credentials are stored in a managed Key Management System and never held in plaintext.
Access control. Access to client systems and regulated data is restricted to authorised personnel on a least-privilege basis. All accounts use unique identifiers (no shared logins) and require Multi-Factor Authentication. Access is reviewed quarterly and revoked within 24 hours of role change or termination.
Network protection. Systems sit behind managed firewalls with intrusion detection. Network segmentation isolates regulated data systems from general-purpose systems. Anti-malware tooling is installed on all endpoints, updated at least monthly, and configured to prevent user disablement.
Credential management. Passwords meet a minimum 12-character complexity requirement with mixed case, numbers, and symbols. API keys are rotated at least annually. Encryption keys are rotated at least annually and immediately on suspected compromise. Account lockout is enforced after 10 failed authentication attempts.
Personally identifiable information (PII) is stored only on approved, encrypted systems. PII is never stored on personal devices, removable media, or unsecured cloud storage. We maintain a quarterly inventory of all devices and systems that handle regulated data.
| Data type | Retention |
| Amazon Selling Partner PII | Deleted within 30 days of order delivery |
| Non-PII Amazon data | Maximum 18 months |
| Security logs | Minimum 12 months |
| General client engagement records | Engagement duration plus 7 years |
Deletion uses NIST 800-88 compliant sanitisation. Retention beyond these limits occurs only where required by law.
Incident Management Point of Contact (IMPOC): Serban Murgoci — security@slashmental.com.
The IMPOC is responsible for triage, escalation, communication with affected parties, and post-incident review.
Phase 1 — Preparation. Maintain current inventory of systems holding regulated data; maintain emergency contact list including Amazon (security@amazon.com) and the UK ICO; conduct annual security awareness training and incident response training; review this plan at least every six months and after any material infrastructure change.
Phase 2 — Identification. Triggers include alerts from monitoring systems, anomalous API call patterns, failed authentication clusters, reports from staff or third parties, and dark web monitoring hits. The IMPOC triages incidents within one hour of detection and classifies severity as Critical, High, Medium, or Low. All incidents are logged.
Phase 3 — Containment. Immediate actions vary by incident type:
Phase 4 — Eradication. Remove malware or unauthorised access vectors; patch exploited vulnerabilities; reset credentials and rotate keys for all potentially affected systems; validate via independent vulnerability scan.
Phase 5 — Recovery. Restore systems from verified clean backups; verify integrity of restored data; re-enable access in stages starting with critical functions; monitor for recurrence for a minimum of 30 days post-recovery.
Phase 6 — Lessons learned. Convene a post-incident review within 14 days of resolution; update this plan and supporting controls based on findings; update training where relevant.
Vulnerability scans are conducted at least every 30 days across all systems that process or store Amazon data. Penetration testing is conducted at least annually by qualified third-party specialists. Critical-risk vulnerabilities are remediated within 7 days of discovery; high-risk vulnerabilities within 30 days.
| Activity | Cadence |
| Security log review | Bi-weekly |
| Anti-malware update | Monthly |
| Vulnerability scan | Monthly |
| Personnel and service access review | Quarterly |
| PII-handling device and system inventory | Quarterly |
| Backup and recovery test | Quarterly |
| Amazon API key rotation | Annually |
| Encryption key rotation | Annually |
| Security awareness training | Annually |
| Penetration test | Annually |
| Third-party security assessment | Annually |
| Incident response plan review | Every 6 months |
We conduct an annual risk assessment of vendors and subcontractors with access to regulated data. Vendors must demonstrate equivalent security controls before access is granted.
If you believe you have identified a security vulnerability or concern affecting SLASHMENTAL LTD systems or data, contact security@slashmental.com. We acknowledge reports within 24 hours.
