Terms and Conditions

EasyEcom's terms and conditions

These Terms & Conditions is a legal agreement between you, the end user (“You”/“Your”), and Edgewise Technologies Private Limited (“EasyEcom”), the owner of all intellectual property rights in the cloud-based inventory and order management platform on domain www.easyecom.io (“Website”). The Agreement describes the terms on which EasyEcom offers access to the Website and the Services (defined below) to all end users.

This terms and condition takes effect (”The effective date”) when you click an “I Accept” button or check box presented with these terms or, if earlier, when you use the EasyEcom services directly or indirectly. By registering for or using the EasyEcom services, you (on behalf of yourself or the business you represent) agree to be bound by these terms. If you do not agree to this terms and conditions, then you may not use the Services.

If you are entering into this Agreement on behalf of a company or other legal entity, you represent that you have the authority to bind such entity and its affiliates to these terms and conditions as its authorized representative, in which case the terms “you” or “your” will refer to such entity and its affiliates as well as you. If the legal entity that you represent does not agree with these terms and conditions, you must not accept this Agreement, register, and use or access the Services as an authorized representative.

This is a legally binding agreement and is enforceable against You. EasyEcom may modify the terms of the Agreement at any time and shall inform You of the same. You will be deemed to have accepted the revised Agreement if You continue to access the Website after the modifications become effective. If You do not agree to the terms of this Agreement, please do not access or use the Website.

Please review our Privacy Policy, which also governs your visit to Website, to understand our practices. The personal information / data provided to us by you during the course of usage of Website will be treated as strictly confidential and in accordance with the Privacy Notice and applicable laws and regulations. If you object to your information being transferred or used, please do not use the Website.

EasyEcom may use the Information on staging environment by using dynamic data encryption. Any Amazon related PII data will be deleted from staging environment within 3 days. You can request us to setup data deletion for your other PII data belonging to non-Amazon channels. Please contact our customer service desk for placing a data deletion request.

You also grant EasyEcom the right to disclose to its affiliates / partners / third parties Your Account Information to the extent necessary for the purpose of rendering the Services.

The following are the terms and conditions on which EasyEcom agrees to permit You to access and use the Website and the Services.

Privacy Policy

Registration

In order to access and use the Website, You will be required to register Yourself and maintain a EasyEcom account (“Account”) which will require You to furnish to EasyEcom, certain information and details, including Your name, e-mail id, and any other information deemed necessary by EasyEcom (“Account Information”). You agree to keep this information updated at all times.

You shall be responsible for maintaining the confidentiality and security of the password and for all activities that occur in and through Your Account. EasyEcom and its affiliates / partners are not liable for any harm caused by, or related to the theft of, Your ID, Your disclosure of Your Account Information, or Your authorization to allow another person to access and use the Service using Your Account. However, You may be liable to EasyEcom and its affiliates / partners for the losses caused to them due to such unauthorized use.

‍

User Policy

Account Dos and Don’ts: You agree to abide by the following dos and don’ts for registering and maintaining the security of Your Account.

• You will not provide access to or give any part of the Services to any third party.
• You will not reproduce, modify, copy, sell, trade, lease, rent or resell the Services.
• You will not transfer your license to the Services to any other party.
• You will not decompile, disassemble, or reverse engineer the Services.
• You will create the Account on behalf of an entity or firm or in Your individual capacity only if You are a natural person aged 18 years or above and competent to enter into a valid and binding contract.
• You will not provide any false personal information to EasyEcom.
• You shall ensure that the Account Information is complete, accurate and up-to-date at all times.
• You shall not use any other user’s Account Information or log into that user’s Account.
• You will not share Your password or do anything that might jeopardize the security of Your Account.
• On completing the registration process, You shall be entitled to access the Website and avail of the Services.
• Your account, ID, and password may not be transferred or sold to another party.
• You agree to immediately notify EasyEcom of any unauthorized use of Your account or any other breach of security known to You.
• You shall not alter, resell or sublicense the Website or the Services to any third party.
• You shall not circumvent, disable or otherwise interfere with security-related features or any digital rights management mechanisms of the Website.
• You will not use the Website or the Service to (i) build a competitive product or service, (ii) make or have a product with similar ideas, features, functions or graphics of the Website, (iii) make derivative works based on the Website / Services; or (iv) copy any features, functions or graphics of the Website/Services.

User Policy

In order to ensure that EasyEcom is able to provide high quality services, respond to customer needs, and comply with laws, You hereby consent to let EasyEcom’s employees and agents access Your Account and records on a case-to-case basis to investigate complaints or other allegations or suspected abuse. Additionally, You agree to disclose to EasyEcom, and permit EasyEcom to use, Your log-in ID, password and such other account details with respect to Your account(s) with e-commerce websites/Websites, for the limited purpose of resolving technical problems.

You also grant EasyEcom the right to disclose to its affiliates / partners / third parties Your Account Information to the extent necessary for the purpose of rendering the Services.

‍

Scope of Services

Subject to your compliance with these terms and Conditions and payment of applicable fees, EasyEcom hereby grants You a specific, limited, non-exclusive and non-transferrable license to access and use the www.easyecom.io (“Website”)(which is cloud based inventory and order management software) via the internet, as well as through any application interface on your mobile devices, and includes all of EasyEcom’s products, services, materials accessed through the Website and avail of the services provided by the Website with respect to inventory and order management (“Services”). EasyEcom reserves the right to make changes to the functionality or the documentation of the Website and the provision of Services from time to time.

EasyEcom retains all rights in the Website and the Services, and grants You only a right and license to use the Website / application as stated herein. No other license is intended to be granted to You. EasyEcom reserves all rights in its name, trademarks, copyrights and any other intellectual property.

You may use the Website and the Service to store data, print and display data in the Service. No other use of the Website and the Service by You shall be permitted.

You may access the Website and the Services using a single user Account via multiple access points. You may allow Your employees, agents and independent contractors to access the Website via Your Account on Your behalf. However, You agree not to provide any access to Your Account to any third party vendors.

EasyEcom shall perform all necessary server management and maintenance services with respect to the Website at no additional cost to You.

EasyEcom will do our utmost to ensure that availability of the website will be uninterrupted and that transmissions will be error-free. However, due to the nature of the Internet, this cannot be guaranteed. Also, your access to the website may also be occasionally suspended or restricted to allow for repairs, maintenance, or the introduction of new facilities or services at any time without prior notice. We will attempt to limit the frequency and duration of any such suspension or restriction.

User Policy

Use of Services

The Website is a standard off-the-shelf application. We do not provide any customization in the Website.

You agree to use the Services solely for the purpose for which the Services are provided, namely warehousing, and solely to aid Your business. You shall not sublicense or resell the Website or the Services for the use or benefit of any other organization, entity, business or enterprise.

You agree not to submit or upload to the Website, any material that is illegal, misleading, defamatory, indecent or obscene, threatening, infringing of any third party proprietary rights, invasive of personal privacy or otherwise objectionable (collectively, “Objectionable Matter”). EasyEcom reserves the right to adopt and amend rules for the permissible use of the Website and the Services at any time, and You shall be required to comply with such rules. You shall also be required to comply with all applicable laws regarding privacy, data storage etc., or any other policy of EasyEcom, as updated from time to time. EasyEcom reserves the right to terminate this Agreement and Your access to the Website, without notice, if You commit any breach of this clause.

As part of the Services, the Website allows You to upload data / content to it. All user data uploaded or submitted by You to Your Account, shall be Your sole property. You retain all rights in the data uploaded by You to the Website and shall remain liable for the legality, reliability, integrity, accuracy and copyright permissions thereto of such data. EasyEcom will use commercially reasonable security measures to protect the User’s data against unauthorized disclosure or use. However, EasyEcom does not guarantee data security and EasyEcom is not responsible for any data which you submit through the Website.  If Your data is damaged or lost, EasyEcom will use commercially reasonable means to recover such data. You agree that You are entering into this agreement in full knowledge of the same.

EasyEcom is an intermediary as defined under the Information Technology Act, 2000. EasyEcom does not monitor or control any data or content uploaded by You to the Website. You agree not to use or encourage, or permit others to store, upload, modify, update or share any information that:

‍

• belongs to another person and to which you do not have any right;
• is grossly harmful, misleading, harassing, blasphemous defamatory, indecent, obscene, pornographic, paedophilic, libellous, invasive of another’s privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, invasive of personal privacy or otherwise objectionable or any data / content that is contrary to any applicable local, national, and international laws and regulations;
• infringes any patent, trademark, copyright or other proprietary rights;
• violates any law for the time being in force;
• results in impersonation of any person or entity, or falsely states or otherwise misrepresents your affiliation with a person or entity;
• is someone’s identification documents or sensitive financial information;
• contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
• threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation; or
• makes available any data / content in contravention of these Agreement or applicable policies, or any data / content that You do not have a right to access, store, use or make available to third parties under any law or contractual or fiduciary relationship.

User Policy

EasyEcom reserves the right to suspend or terminate Your access to Your Account if You cause any disruption or harm to the EasyEcom infrastructure or to any third parties, or violate the provisions of the Information Technology Act, 2000, any applicable privacy laws or any of the applicable laws. You hereby consent to let EasyEcom’s employees and agents access Your Account and records on a case-to-case basis to investigate complaints or other allegations or suspected abuse.

Pricing

This is a paid version of the Website. The Website works on a prepaid or recharge model where You may choose from the paid or recharge options by going to the billing section of your EasyEcom account.

The Fees shall be exclusive of all applicable taxes. You may choose to pay the Fees by any of the payment options made available by EasyEcom including, credit card, debit card, net banking or cheque. There will be no deduction of TDS in case of use of any of the online methods for payments of Fees. However, if You choose to pay by cheque and deduct TDS on the Fees, You shall be given credit for the amount of TDS deducted. If EasyEcom changes the Fees payable, EasyEcom shall give You advance notice of these changes via a message to the email address associated with Your Account. EasyEcom will bill You through Your chosen payment method, from the date You opt for the paid Services option until termination. All payments are final and non-refundable. You will not be entitled to any cancellation or cooling off period after opting for the paid Services.

All advance paid is non-refundable and initial upgrade amount paid will have validity of 30 days. If customer is unable to go live and start-processing orders in specified period, his account will be disabled and upgrade fees will be adjusted.

User Policy

Indemnification

You shall indemnify and hold harmless, EasyEcom, its affiliates, any third party content / networks / infrastructure providers and their respective directors, officers, personnel, contractors and agents, for and against any and all claims, losses, damages, costs and expenses arising out of, or relating to, Your use of the Website and the Services or Your breach of the Agreement or any other restrictions or guidelines provided by EasyEcom. This indemnification obligation will survive at all times, including, Your use of the Website and the Services.

User Policy

Disclaimer of Warranties

THE WEBSITE AND THE SERVICES ARE PROVIDED ON AN “AS-IS” AND “WITH ALL FAULTS AND RISKS” BASIS, WITHOUT WARRANTIES OF ANY KIND. EASYCOM DOES NOT WARRANT, EXPRESSLY OR BY IMPLICATION, THE ACCURACY OR RELIABILITY OF THE WEBSITE OR THE SERVICES OR ITS SUSTAINABILITY FOR A PARTICULAR PURPOSE OR THE SAFETY/SECURITY OF THE DATA/CONTENT STORED ON THE WEBSITE BY YOU. EASYCOM DISCLAIMS ALL WARRANTIES WHETHER EXPRESS OR IMPLIED, INCLUDING THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THAT USE OF THE WEBSITE OR ANY MATERIAL THEREOF WILL BE UNINTERRUPTED OR ERROR-FREE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, EASYCOM DOES NOT REPRESENT OR WARRANT THAT THE WEBSITE AND THE SERVICES WILL RESULT IN COMPLIANCE, FULFILLMENT OR CONFORMITY WITH THE LAWS, REGULATIONS, REQUIREMENTS OR GUIDELINES OF ANY GOVERNMENT OR GOVERNMENTAL AGENCY.

To the maximum extent permitted by applicable law, EasyEcom provides no warranty on the use of the Website and the Services, and shall not be liable for the same under any laws applicable to intellectual property rights, libel, privacy, publicity, obscenity or other laws. EasyEcom also disclaims all liability with respect to the misuse, loss, modification or unavailability of the Website and the Services.

User Policy

Limitation of Liability

YOU ASSUME THE ENTIRE RISK OF USING THE WEBSITE AND THE SERVICES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EASYCOM BE LIABLE TO YOU FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF DATA OR INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF, OR INABILITY TO USE OR ACCESS THE WEBSITE OR THE SERVICES OR FOR ANY SECURITY BREACH OR ANY VIRUS, BUG, UNAUTHORIZED INTERVENTION, DEFECT, OR TECHNICAL MALFUNCTIONING OF THE WEBSITE, WHETHER OR NOT FORESEEABLE AND WHETHER OR NOT EASYCOM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR BASED ON ANY THEORY OF LIABILITY, INCLUDING BREACH OF CONTRACT OR WARRANTY, NEGLIGENCE OR OTHER TORTIOUS ACTION, OR ANY OTHER CLAIM ARISING OUT OF, OR IN CONNECTION WITH, YOUR USE OF, OR ACCESS TO, THE SOFTWARE OR THE SERVICES. FURTHER, EASYCOM SHALL NOT BE LIABLE TO YOU FOR ANY TEMPORARY DISABLEMENT, PERMANENT DISCONTINUANCE OF THE SERVICES BY EASYCOM, DATA LOSS OR FOR ANY CONSEQUENCES RESULTING FROM SUCH ACTIONS.

EASYCOM’S AGGREGATE LIABILITY, IF ANY, (WHETHER UNDER CONTRACT, TORT INCLUDING NEGLIGENCE, WARRANTY OR OTHERWISE) AND THAT OF ITS AFFILIATES SHALL BE LIMITED TO THE TOTAL AMOUNT OF FEES RECEIVED FROM YOU FOR THE ONE (1) MONTH IMMEDIATELY PRECEDING THE DATE THE CLAIM WAS MADE. DAMAGES, IN THE NATURE, AND TO THE AMOUNT, PROVIDED IN THIS CLAUSE, IS THE ONLY RECOURSE THAT YOU MAY HAVE AGAINST EASYCOM FOR BREACH BY EASYCOM OF ANY OF ITS RIGHTS OR OBLIGATIONS HEREUNDER.

User Policy

Claims against objectionable content

EasyEcom operates on a “notice and takedown” basis. If you believe that any content on the website is illegal, offensive (including but not limited to material that is sexually explicit content or which promotes racism, bigotry, hatred or physical harm), deceptive, misleading, abusive, indecent, harassing, blasphemous, defamatory, libelous, obscene, pornographic, pedophilic or menacing; ethnically objectionable, disparaging; or is otherwise injurious to third parties; or relates to or promotes money laundering or gambling; or is harmful to minors in any way; or impersonates another person; or threatens the unity, integrity, security or sovereignty of India or friendly relations with foreign States; or objectionable or otherwise unlawful in any manner whatsoever; or which consists of or contains software viruses, (” Objectionable Content “), please notify us immediately at care AT easyecom DOT com Subject to our internal policies, EasyEcom will make all reasonable endeavours to remove such Objectionable Content complained about within a reasonable time.

User Policy

Suspension and Termination

The Services will remain in effect until suspended or terminated under this Agreement.

You may terminate Your registration by sending an email to care AT easyecom DOT com, if You no longer wish to use the Website. On termination, You will cease to have access to the Website or any of the Services.

EasyEcom reserves the right to suspend or terminate Your Account or restrict or prohibit You access to the Website immediately (a) if EasyEcom is unable to verify or authenticate Your registration data, email address or other information provided by You, (b) if EasyEcom believes that Your actions may cause legal liability for You or for EasyEcom, or all or some of EasyEcom’s other users, or (c) if EasyEcom believes You have provided false or misleading registration data or other information, have not updated Your Account Information, have interfered with other users or the administration of the Services, or have violated this Agreement or the Privacy Policy. You shall not be entitled to access the Website or avail the Services if Your Account has been temporarily or indefinitely suspended or terminated by EasyEcom for any reason whatsoever. EasyEcom may, at any time, reinstate any suspended Account, without giving any reason for that. If You have been indefinitely suspended You shall not register or attempt to register with EasyEcom or its affiliates / partners or use the Services in any manner whatsoever until such time that You are reinstated by EasyEcom.

Upon termination of this Agreement, Your right to access the Website and use the Services shall immediately cease. Thereafter, You shall have no right, and EasyEcom shall have no obligation thereafter, to execute any of the uncompleted tasks.

Once the Services are terminated or suspended, any data that You may have stored on the Website, may not be retrieved later. EasyEcom shall be under no obligation to return the information or data to you.

User Policy

Governing Law

This Agreement is governed and construed in accordance with the laws of India. The courts in Bangalore alone shall have exclusive jurisdiction to hear disputes arising out of the Agreement without any reference to the conflict of law provisions. You agree that the laws of India, excluding India’s choice of law rules, will apply to these Agreement and to the provision of Services by EasyEcom and Your use of the same. EasyEcom makes no representation that the Website and the Services are appropriate or available for use at other locations outside India. Access to the Website from jurisdictions where the Services are illegal is prohibited. EasyEcom reserves the right to block access to the Website by certain international users. If You access the Website from a location outside India, You are responsible for compliance with all applicable local laws.

User Policy

Force Majeure

EasyEcom shall be under no liability whatsoever in case of occurrence of a Force Majeure event, including in case of non-availability of any portion of the Website and/or Services occasioned by act of God, war, disease, revolution, riot, civil commotion, strike, lockout, flood, fire, failure of any public utility, man-made disaster, infrastructure failure, technology outages, failure of technology integration of partners or any other cause whatsoever, beyond the control of EasyEcom. Further, in case of a force majeure event, EasyEcom shall not be liable for any breach of security or loss of data uploaded by You to the Website.

User Policy

Severability

If any of the provisions of this Agreement are deemed invalid, void, or for any reason unenforceable, that part of the Agreement will be deemed severable and will not affect the validity and enforceability of any remaining provisions of the Agreement.

User Policy

Entire Agreement

The Agreement as amended from time to time, along with the Privacy Policy and other related policies made available from time to time, constitutes the entire agreement and supersedes all prior understandings between the parties relating to the subject matter herein.

If You have questions or concerns about the Agreement, please contact EasyEcom at care AT easyecom DOT com.

API Consumer Terms and Conditions

API Consumer Terms and Conditions

If “You” choose to consume EasyEcom API you agree to following data protection terms and conditions.

1. General Security Requirements

Consistent with industry-leading security, Developers will maintain physical, administrative, and technical safeguards and other security measures (i) to maintain the security and confidentiality of Information accessed, collected, used, stored, or transmitted by a Developer and (ii) to protect that his Information from known or reasonably anticipated threats or hazards to its security and integrity, accidental loss, alteration, disclosure, and all other unlawful forms of processing. Without limitation, the Developer will comply with the following requirements:

1.1 Network Protection

Developers must implement network protection controls, including network firewalls and network access control lists to deny access to unauthorised IP addresses. Developers must implement anti-virus and anti-malware software on end-user devices. Developers must restrict public access only to approved users and carry out data protection and IT security training for everyone with system access.

1.2 Access Management

Developers must establish a formal user access registration process to assign access rights for all user types and services by ensuring that a unique ID is assigned to each person with computer access to Information. Developers must not create or use generic, shared, or default login credentials or user accounts and prevent user accounts from being shared. Developers must implement baselining mechanisms to ensure that at all times only the required user accounts access Information. Developers must restrict employees and contractors from storing Information on personal devices. Developers will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Information. Developers must review the list of people and services with access to Information at least quarterly. Developers must ensure that access is disabled and/or removed within 24 hours for terminated employees.

1.3 Least Privilege Principle

Developers must implement fine-grained access control mechanisms to allow granting rights to any party using the Application and the Application's authorised operators following the principle of least privilege. Access to Information must be granted on a "need-to-know" basis.

1.4 Credential Management

Developers must establish minimum password requirements for personnel and systems with access to Information. Password requirements must be a minimum of twelve (12) characters, not include any part of the user's name, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each. Developers must establish a minimum password age of 1-day and a maximum 365-day password expiration for all users. Developers must ensure that Multi-Factor Authentication (MFA) is required for all user accounts. Developers must ensure that API keys provided by EasyEcom are encrypted and only required employees have access to them.

1.5 Encryption in Transit

Developers must encrypt all Information in transit with secure protocols such as TLS 1.2+, SFTP, and SSH-2. Developers must enforce this security control on all applicable internal and external endpoints. Developers must use data message-level encryption where channel encryption (e.g. using TLS) terminates in untrusted multi-tenant hardware (e.g. untrusted proxies).

1.6 Risk Management and Incident Response Plan

Developers must have a risk assessment and management process that is reviewed by the Developer's senior management annually, which includes, but is not limited to, assessment of potential threats and vulnerabilities as well as likelihood and impact in order to track known risks. Developers must create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans must identify the incident response roles and responsibilities, define incident types that may affect EasyEcom, define incident response procedures for defined incident types, and define an escalation path and procedures to escalate Security Incidents to EasyEcom. Developers must review and verify the plan every six (6) months and after any major infrastructure or system change, including changes to the system, controls, operational environments, risk levels, and supply chain. Developers must notify EasyEcom (via email to 3p-security@EasyEcom.io) within 24 hours of detecting a Security Incident. It is the Developer's sole responsibility to inform relevant government or regulatory agencies as required by applicable local laws. Developers must investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence. Developers must maintain the chain of custody for all evidences or records collected, and such documentation must be made available to EasyEcom upon request (if applicable). If a Security Incident occurred, Developers cannot represent or speak on behalf of EasyEcom to any regulatory authority or customers unless EasyEcom specifically requests in writing that the Developer do so.

1.7 Request for Deletion

Developers must permanently and securely delete Information upon and in accordance with EasyEcom's notice requiring deletion within 30 days of EasyEcom's requests unless the data is necessary to meet legal requirements, including tax or regulatory requirements. Secure deletion must occur in accordance with industry-standard sanitisation processes such as NIST 800-88. Developers must also permanently and securely delete all live (online or network accessible) instances of Information 90 days after EasyEcom's notice. If requested by EasyEcom, the Developer will certify in writing that all Information has been securely destroyed.

1.8 Data attribution

Developers must store Information in a separate database or implement a mechanism to tag and identify the origin of all data in any database that contains Information.

2. Additional Security Requirements Specific to Personally Identifiable Information

The following additional Security Requirements must be met for Personally Identifiable Information ("PII"). PII is granted to Developers for select tax and merchant fulfilled shipping purposes, on a must-have basis. If an EasyEcom Services API contains PII, or PII is combined with non-PII, then the entire data store must comply with the following requirements:

2.1 Data Retention

Developers will retain PII for no longer than 30 days after order delivery and only for the purpose of, and as long as is necessary to (i) fulfil orders, (ii) calculate and remit taxes, (iii) produce tax invoices and other legally required documents, and (iv) meet legal requirements, including tax or regulatory requirements. Developers may retain data for over 30 days after order delivery only if required by law and only for the purposes of complying with that law. Per sections 1.5 ("Encryption in Transit") and 2.4 (" Encryption at Rest") at no point should PII be transmitted or stored unprotected.

2.2 Data Governance

Developers must create, document, and abide by a privacy and data handling and classification of policy for their Applications or services, which govern the appropriate conduct and technical controls to be applied in managing and protecting information assets. A record of data processing activities such as specific data fields and how they are collected, processed, stored, used, shared, and disposed for all PII should be maintained to establish accountability and compliance with regulations. Developers must establish a process to detect and comply with privacy and security laws and regulatory requirements applicable to their business and retain documented evidence of their compliance. Developers must establish and abide by their privacy policy for customer consent and data rights to access, rectify, erase, or stop sharing/processing their Information where applicable or required by data privacy regulation. Developer must have technical and organisational processes and systems in place for assisting Authorised Users with data subject access requests. Developers must include contractual provisions in employment contracts with employees that process PII to maintain confidentiality of PII.

2.3 Asset Management

Developers must maintain baseline standard configuration for the information system and keep inventory of software and physical assets (e.g. computers, mobile devices) with access to PII, and update quarterly. Physical assets that store, process, or otherwise handle PII must abide by all of the requirements set forth in this policy. Developers must not store PII in removable media, personal devices, or unsecured public cloud applications (e.g. public links made available through Google Drive) unless it is encrypted using at least AES-128 or RSA-2048 bit keys or higher. Developers must securely dispose of any printed documents containing PII. Developer must implement data loss prevention (DLP) controls in place to monitor and detect unauthorised movement of data.

2.4 Encryption at Rest

Developers must encrypt all PII at rest using at least AES-128 or RSA with 2048-bit key size or higher. The cryptographic materials (e.g. encryption/decryption keys) and cryptographic capabilities (e.g. daemons implementing virtual Trusted Platform Modules and providing encryption/decryption APIs) used for encryption of PII at rest must be only accessible to the Developer's processes and services.

2.5 Secure Coding Practices

Developers must not hardcode sensitive credentials in their code, including encryption keys, secret access keys, or passwords. Sensitive credentials must not be exposed in public code repositories. Developers must maintain separate test and production environments.

2.6 Logging and Monitoring

Developers must gather logs to detect security-related events to their Applications and systems including success or failure of the event, date and time, access attempts, data changes, and system errors. Developers must implement this logging mechanism on all channels (e.g. service APIs, storage-layer APIs, administrative dashboards) providing access to Information. Developers must review logs in real-time (e.g. SIEM tool) or on a bi-weekly basis. All logs must have access controls to prevent any unauthorised access and tampering throughout their life cycle. Logs must not contain PII unless the PII is necessary to meet legal requirements, including tax or regulatory requirements. Unless otherwise required by applicable law, logs must be retained for at least 90 days for reference in the case of a Security Incident. Developers must build mechanisms to monitor the logs and all system activities to trigger investigative alarms on suspicious actions (e.g. multiple unauthorised calls, unexpected request rate and data retrieval volume, and access to canary data records). Developers must implement monitoring alarms and processes to detect if Information is extracted from or can be found beyond its protected boundaries. Developers should perform investigation when monitoring alarms are triggered, and this should be documented in the Developer's Incident Response Plan.

2.7 Vulnerability Management

Developers must create and maintain a plan and/or runbook to detect and remediate vulnerabilities. Developers must protect physical hardware containing PII from technical vulnerabilities by performing vulnerability scans and remediating appropriately. Developers must conduct vulnerability scanning at least every 180 days, penetration test at least every 365 days, and scan code for vulnerabilities prior to each release. Furthermore, Developers must control changes to the storage hardware by testing, verifying changes, approving changes, and restricting access to who may perform those actions. Developers must have appropriate procedures and plans to restore availability and access to PII in a timely manner in the event of a physical or technical incident.

3. Audit and Assessment

Developers must maintain all appropriate books and records reasonably required to verify compliance with the Data Protection Policy, during the period of this agreement and for 12 months thereafter. Upon EasyEcom's written request, Developers must certify in writing to EasyEcom that they are in compliance with these policies.

Upon request, EasyEcom may, or may have an independent certified public accounting firm selected by EasyEcom, audit, assess and inspect the books, records, facilities, operations, and security of all systems that are involved with a Developer's Application in the retrieval, storage, or processing of Information. EasyEcom will keep confidential any nonpublic information disclosed by a Developer as part of this audit, assessment, or inspection that is designated as confidential or that, given the nature of the Information or the circumstances surrounding its disclosure, reasonably should be considered confidential. Developers must cooperate with EasyEcom or EasyEcom's auditor in connection with the audit or assessment, which may occur at the Developer's facilities and/or subcontractor facilities. If the audit or assessment reveals deficiencies, breaches, and/or failures to comply with our terms, conditions, or policies, the Developer must, at its sole cost and expense, and take all actions necessary to remediate those deficiencies within an agreed-upon time frame. Upon request, Developer must provide remediation evidence in the form requested by EasyEcom (which may include policy, documents, screenshots, or screen sharing of application or infrastructure changes) and obtain written approval on submitted evidence from EasyEcom before audit closure.