Amazon SP-API Updates Data Protection and Acceptable Use Policies Effective November 25

Amazon is implementing significant updates to its Data Protection Policy (DPP) and Acceptable Use Policy (AUP) for the Seller Partner API (SP-API), effective November 25, 2025. These changes are designed to enhance security and data handling practices for solution providers using Amazon's services. Continued use of the SP-API after the effective date will signify acceptance of the revised policies, which may necessitate adjustments to existing security measures.

Key Takeaways

• Updates to Data Protection and Acceptable Use Policies effective November 25, 2025.
• Changes include revised terminology, enhanced security controls, and stricter data retention requirements.
• Solution providers must review and potentially update their security protocols.

Data Protection Policy Enhancements

The updated Data Protection Policy introduces several key changes for SP-API solution providers. The term "Developer" has been replaced with "Solution Provider," and new definitions for "Amazon Partners," "Service Provider," and "Solution Provider" have been added. Network protection requirements now explicitly include measures to prevent the disabling of anti-virus and malware software. Access management has been tightened with an account lockout after ten unsuccessful login attempts, and credential management now mandates password history retention for the last ten passwords and API key rotations.

Encryption standards have been elevated to require Transport Layer Security (TLS) 1.2+ and the implementation of a Key Management System (KMS). Incident response protocols now mandate the designation of a readily available Incident Management Point of Contact (IMPOC) for data leakage and security breach events. Data retention policies have been updated, stipulating that non-Personally Identifiable Information (PII) must not be stored for longer than 18 months unless legally required, and the minimum log retention period is now 12 months.

Vulnerability management requirements have been strengthened, demanding critical vulnerability resolution within seven days of discovery and high-risk vulnerability resolution within 30 days. Geographically dispersed backup requirements have also been introduced. Furthermore, audit cooperation requirements now extend to Amazon's affiliates, agents, representatives, contractors, and subcontractors. A new subcontractor requirement mandates third-party risk assessments for all vendors and subcontractors.

Acceptable Use Policy Revision

The primary change to the Acceptable Use Policy (AUP) is the updated terminology, aligning with the DPP by replacing "Developer" with "Solution Provider."

Scope of Impact

These policy updates apply to all Amazon stores.