Developer Policy

1. Developers must implement network protection controls (e.g., AWS VPC subnet/Security Groups, network firewalls) to deny access to unauthorized IP addresses and public access must be restricted only to approved users.
2. Assign a unique ID to each person with computer access to application Information. Developers must not create or use generic, shared, or default login credentials or user accounts. Developers must review the list of people and services with access to Company Information on a regular basis (at least quarterly), and remove accounts that no longer require access.
3. Developers will maintain and enforce "account lockout" by detecting anomalous usage patterns and log-in attempts, and disabling accounts with access to Application Information as needed.
4. Developers should not store or share information through any personal device
5. Enforce security protocol & Encrypt all Information in transit through API services (e.g., when the data traverses a network, or is otherwise sent between hosts. This can be accomplished using HTTP over TLS (HTTPS).
6. All applicable external endpoints used by customers as well as internal communication channels (e.g., data propagation channels among storage layer nodes, connections to external dependencies) and operational tooling.
7. Developers must disable communication channels which do not provide encryption in transit even if unused (e.g., removing the related dead code, configuring dependencies only with encrypted channels, and restricting access credentials to use of encrypted channels).
8. Developers must use data message-level encryption (e.g., using AWS Encryption SDK) where channel encryption. Follow on-time recovery
9. Create and maintain a plan and/or runbook to detect and handle Security Incidents. Such plans must identify the incident response roles and responsibilities, define incident types and an escalation path and procedures to escalate Security Incidents to Managers.
10. Developers must review and verify the plan every (Two) months and after any major infrastructure or system change. Developers must investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable).
11. Any security incident must be informed to Manger (via email to it@virventures.com) within 24 hours of detecting. Developers cannot notify any regulatory authority, nor any customer, on behalf of Company. Company reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law.
12. Developers must promptly, permanently, and securely delete (in accordance with industry-standard sanitization processes, e.g., NIST 800-88)
13. Use Marketplace APIs only to perform acceptable Business Operation related activities, and with prior Authorization from Manager.
14. Do not facilitate or promote violation of the Company Services Business Solutions Agreement, directly or indirectly.
15. Do not attempt to deceive by deliberate modification of Marketplace API data.
16. Comply with all applicable laws including data privacy and data protection laws (e.g., GDPR, Cybersecurity Law of the People's Republic of China).
17. Do not offer Applications or services that infringe on the copyrights, patents, or trademarks of others.
18. Do not use, offer, or promote external data services.
19. Identify and mitigate any negative Seller impact before launching new features, especially for business-critical tasks.
20. Implement data integrity and validation checks within your Application for any analytical processing (e.g., AI models for insights, automated decision-making) that has material impact on a Seller's business.

Don'ts:
1. Never share keys or passwords.
2. Never ask for or accept a Seller's Secret Keys for any purpose.
3. Do not request or share Seller Central credentials. If necessary, ask the Manager to grant Seller Central access through a secondary user permission, but do so only if Seller Central is required to provide features or services that benefit the Seller.
4. Do not request access to or retrieve information that is not necessary for your Application's functionality.
5. Only grant access to data on a "need-to-know" basis within your organization and among your Application users with Reporting Manager permission

Server & Database:
1. Servers are secured, in case of any attack we would be blocking the IP and change the password. Contact server Administration Team for support
2. DB is hosted in AWS Cloud, In case of any unauthorized access, we would block the IP from where it’s hit.
3. We have encrypted the data, we have taken utmost security.
4. Do not calculate or publish insights about the health of Company's business.
5. PII is granted to for select tax and merchant fulfilled shipping purposes, on a must-have basis.
If the audit reveals deficiencies, breaches, and/or failures to comply with our terms, conditions, or policies, the Developer must, at its sole cost and expense, and take all actions necessary to remediate those deficiencies within an agreed-upon timeframe.

Contact your immediate IRM / Manager (it@virventures.com) for any concern or related query.