Customer Security Requirements

1. Purpose

This document establishes the security requirements for customers ("Customer") using the ShipStream Data Border service ("Service"). These requirements are designed to protect Amazon marketplace data, including personally identifiable information (PII) contained in shipping labels, while enabling efficient order fulfillment operations.

ShipStream Data Border acts as a secure gateway between Amazon's Selling Partner API (SP-API) and Customer's printing infrastructure. While ShipStream maintains strict security controls on our systems, Customers must also implement reasonable safeguards on their end to ensure end-to-end data protection.

2. Scope

These requirements apply to:

All customers using the ShipStream Data Border service
All Print Stations (computers/devices running Device Hub)
All personnel with access to Device Hub or shipping labels
All networks over which label data is transmitted

3. Customer Risk Tiers

Customers are classified into tiers based on usage volume and operational complexity. Higher tiers require additional security measures proportional to their increased data exposure.

3.1 Tier Definitions

Tier	Criteria	Assessment
Standard	All customers	At onboarding
Enhanced	>10,000 labels/month OR >5 Print Stations	Automatic based on usage
Enterprise	>100,000 labels/month OR fulfills for multiple merchants	Automatic based on usage

3.2 Tier Requirements Summary

Requirement	Standard	Enhanced	Enterprise
Security Attestation	Required	Required	Required
Device Hub Installation	Required	Required	Required
Endpoint Security	Required	Required	Required
Network Security	Required	Required	Required
Annual Attestation Renewal	Required	Required	Required
Designated Security Contact	-	Required	Required
Annual Security Questionnaire	-	Required	Required
SOC 2 / ISO 27001 Evidence	-	-	Required*

*Enterprise customers without SOC 2 or ISO 27001 certification must complete a detailed security questionnaire.

4. Security Requirements - All Tiers

The following requirements apply to ALL customers regardless of tier.

4.1 Endpoint Security

All Print Stations must meet the following requirements:

4.1.1 Operating System

Run a supported operating system (Windows 10 or later)
Operating system must receive security updates regularly
Automatic updates should be enabled where practical

4.1.2 Endpoint Protection

Antivirus or endpoint protection software must be installed and active
Windows Defender (included with Windows 10/11) satisfies this requirement
Virus definitions must be updated automatically
Real-time protection must be enabled

4.1.3 Authentication

Print Stations must require authentication to access (password, PIN, or biometric)
Passwords must meet minimum complexity requirements:
- At least 8 characters
- Not easily guessable (no "password", "123456", company name, etc.)
Auto-lock must be configured to activate after 15 minutes of inactivity or less

4.1.4 Software

Only install software from trusted sources
Keep Device Hub updated to the latest version
Remove unnecessary software that could pose security risks

4.2 Network Security

4.2.1 Encryption

All network connections must use encryption
WiFi networks must use WPA2 or WPA3 encryption
Open (unencrypted) WiFi networks are prohibited for Print Stations
Wired Ethernet connections are acceptable

4.2.2 Network Segmentation (Recommended)

Where practical, Print Stations should be on a dedicated network segment or VLAN
Print Stations must not be directly accessible from the internet

4.3 Physical Security

Physical access to Print Stations should be limited to authorized personnel
Print Stations should be located in areas with reasonable physical security
Printed labels should be handled securely and not left unattended in public areas

4.4 Acceptable Use

Customers must adhere to the following acceptable use requirements:

4.4.1 Permitted Use

Use shipping labels solely for fulfilling orders Customer is authorized to fulfill
Print labels using physical label printers

4.4.2 Prohibited Activities

Customers shall NOT:

Capture or intercept label data from the print spool, Device Hub, or network traffic
Copy or retain label data beyond the immediate printing process
Store labels electronically (no saving to disk, database, or cloud storage)
Install print-to-file drivers such as PDF printers, XPS writers, or "print to file" options for label printing
Share credentials for Device Hub with unauthorized persons
Disable security features on Print Stations (antivirus, firewall, auto-lock)
Use labels for any purpose other than shipping the associated order

4.4.3 Credential Management

Device Hub credentials must be treated as confidential
Credentials should only be known to personnel who require access
Credentials must be changed if personnel with access leave the organization or change roles
Do not share credentials via insecure channels (email, chat, sticky notes)

4.5 Personnel

Only personnel with a legitimate business need should have access to Print Stations
Personnel should be informed of their obligation to protect shipping label data
Access should be revoked promptly when personnel leave or no longer require access

5. Additional Requirements - Enhanced Tier

Customers meeting Enhanced tier criteria must also comply with the following:

5.1 Designated Security Contact

Customer must designate a security contact responsible for:
- Receiving security notifications from ShipStream
- Responding to security inquiries
- Coordinating incident response
Contact information must be kept current in Customer's account

5.2 Annual Security Questionnaire

Customer must complete the Annual Security Questionnaire upon reaching Enhanced tier and annually thereafter
Questionnaire must be completed within thirty (30) days of request
Material changes to Customer's security posture should be reported promptly

5.3 Print Driver Restrictions

Customer must confirm that no print-to-file, PDF, or virtual printer drivers are configured as destinations for label printing
Label printers should be configured to print directly to physical label stock

6. Additional Requirements - Enterprise Tier

Customers meeting Enterprise tier criteria must also comply with the following:

6.1 Security Certification Evidence

Enterprise customers should provide evidence of one of the following:

SOC 2 Type II report (within the past 12 months)
ISO 27001 certification (current)
Equivalent third-party security assessment

6.2 Alternative: Detailed Security Questionnaire

Enterprise customers without applicable security certifications must complete a detailed security questionnaire covering:

Information security policies and governance
Access control procedures
Network security architecture
Incident response capabilities
Employee security training
Physical security controls
Vendor management

6.3 Security Incident History

Enterprise customers must disclose any security incidents involving PII in the past 12 months, including:

Nature of the incident
Data affected
Remediation measures taken

7. Technical Controls Enforced by ShipStream

ShipStream implements the following technical controls to protect data regardless of Customer's security posture:

Control	Description
TLS 1.2+ Encryption	All communications between Device Hub and ShipStream servers are encrypted using TLS 1.2 or higher
No Local Caching	Device Hub does not cache or persist labels to disk; labels exist only in memory during transmission to the printer
Heartbeat Monitoring	Device Hub maintains a heartbeat connection; ShipStream monitors for unexpected disconnections
Audit Logging	All label requests are logged with timestamps, Customer ID, and relevant metadata
Client Version Enforcement	Device Hub displays warnings when running outdated versions; future versions may enforce minimum version requirements
Signed Installers	Device Hub installers are digitally signed to prevent tampering
Hard-coded Executable Paths	Device Hub uses hard-coded paths for external executables to prevent injection attacks
Remote Updates	Security updates can be pushed to Device Hub clients remotely

8. Onboarding Process

8.1 New Customer Onboarding

Account Registration — Customer creates an account, selects a plan (Single App or SaaS Provider), and creates a team
Terms of Service — Customer accepts the Terms of Service
Security Attestation — Customer completes the Security Attestation questionnaire (may be deferred, but shipping labels remain redacted until completed)
Payment Setup — Customer subscribes to their selected plan via checkout
Device Hub Installation — Customer installs Device Hub on Print Stations
Configuration — Customer configures printers and tests label printing
Go Live — Customer begins production use

Steps 3 (Security Attestation) and 4 (Payment Setup) may be completed in any order and can be deferred during onboarding. However, Device Hub provisioning requires an active subscription, and unredacted shipping labels require a completed Security Attestation.

8.2 Tier Upgrades

Customers are automatically assessed for tier upgrades based on usage
When a Customer reaches Enhanced or Enterprise tier thresholds, they will be notified
Customer must complete additional tier requirements within thirty (30) days
Failure to complete requirements may result in service limitations

9. Ongoing Compliance

9.1 Annual Attestation Renewal

All customers must renew their Security Attestation annually
ShipStream will notify customers thirty (30) days before attestation expires
Failure to renew may result in service suspension

9.2 Annual Security Questionnaire (Enhanced/Enterprise)

Enhanced and Enterprise customers must complete the Annual Security Questionnaire
Questionnaire is due within thirty (30) days of the annual anniversary
ShipStream may request updated questionnaires if material changes occur

9.3 Continuous Monitoring

ShipStream monitors for:

Unusual usage patterns (volume spikes, unusual hours)
Failed authentication attempts
Device Hub connectivity issues
Outdated Device Hub versions

Anomalies may trigger security reviews or temporary access restrictions.

10. Incident Response

10.1 Customer Notification Obligation

Customer must notify ShipStream within twenty-four (24) hours of discovering or suspecting:

Unauthorized access to any system containing or processing label data
Malware infection on any Print Station
Compromise of Device Hub credentials
Any security incident that may have exposed Amazon data
Loss or theft of any Print Station

10.2 How to Report

Report security incidents to: security@shipstream.io

Include the following information:

Date and time the incident was discovered
Nature of the incident
Systems affected
Data potentially exposed
Actions taken so far
Contact information for follow-up

10.3 ShipStream Response

Upon receiving an incident report, ShipStream may:

Temporarily suspend Customer's access to protect Amazon data
Request additional information or evidence
Coordinate with Customer on remediation
Report to Amazon if required by Amazon's Data Protection Policy

10.4 Post-Incident

After an incident is resolved:

Customer must implement remediation measures to prevent recurrence
Customer may be required to re-attest to Security Requirements
ShipStream will document the incident and resolution

11. Right to Audit

11.1 Audit Rights

ShipStream reserves the right to:

Request evidence of Customer's compliance with these Security Requirements
Request completion of security questionnaires
Conduct remote security assessments (with Customer cooperation)

11.2 Audit Limitations

Audits will be conducted no more than once per twelve (12) month period under normal circumstances
ShipStream will provide at least seven (7) days notice before requesting audit evidence
More frequent audits may be conducted following a security incident

11.3 Customer Response

Customer must respond to audit requests within thirty (30) days
Customer must provide truthful and complete information
Failure to respond may result in service suspension

12. Non-Compliance

12.1 Remediation Period

If ShipStream identifies non-compliance with these Security Requirements:

Customer will be notified in writing of the specific non-compliance
Customer has fourteen (14) days to remediate the issue
Customer must provide evidence of remediation

12.2 Suspension

If Customer fails to remediate within the specified period:

Customer's access to the Service will be suspended
Monthly Minimum fees continue to apply during suspension
Access will be restored upon evidence of remediation

12.3 Termination

ShipStream may terminate Customer's account for:

Repeated non-compliance
Failure to remediate after suspension
Material breach of Security Requirements
Deliberate violation of Acceptable Use terms

New security threats
Changes in Amazon's requirements
Industry best practice evolution
Regulatory changes

13.2 Notice Period

Customers will be notified at least thirty (30) days before material changes take effect
Continued use of the Service after the effective date constitutes acceptance

13.3 Review

These Security Requirements are reviewed at least annually.

Quick Reference: Security Checklist

Use this checklist to verify compliance with basic requirements:

Print Stations run supported OS (Windows 10+)
Security updates are enabled on all Print Stations
Antivirus/endpoint protection is active (Windows Defender is sufficient)
Print Stations require password/PIN to access
Auto-lock is set to 15 minutes or less
WiFi uses WPA2 or WPA3 encryption (no open networks)
Device Hub is installed and up to date
No print-to-file or PDF drivers configured for labels
Only authorized personnel have access to Print Stations
Device Hub credentials are kept confidential
Security contact is designated (Enhanced/Enterprise)
Annual questionnaire is current (Enhanced/Enterprise)

Questions?