Policy Brief & Purpose:

Caremax's commitment to data protection is showcased through our Privacy and Data Handling Policy, which emphasizes our dedication to handling data with the utmost care and confidentiality. This policy delineates our approach to the collection, processing, storage, usage, sharing, and disposal of data, ensuring fairness, transparency, and respect for individual rights.


This policy applies to all parties involved, including but not limited to employees, job candidates, customers, suppliers, and any entities providing information. It is mandatory for all employees, contractors, consultants, and partners affiliated with our company and its subsidiaries to adhere to this policy, ensuring compliance from anyone requiring occasional data access while collaborating with or representing our company.

Policy Elements:

In conducting our operations, we engage in the collection and processing of data, whether offline or online, that identifies individuals, such as names, addresses, usernames, passwords, digital footprints, photographs, social security numbers, and financial data. Our approach to data handling is guided by the following principles:

Our Data Will:

  • Be accurate and regularly updated.
  • Be collected fairly and for lawful purposes only.
  • Be processed within legal and ethical boundaries.
  • Be safeguarded against unauthorized access by internal or external parties.

Our Data Will Not:

  • Be communicated informally.
  • Be retained beyond the necessary time frame.
  • Be transferred to entities lacking adequate data protection policies.
  • Be shared with parties not authorized by the data owner, except in legitimate circumstances such as law enforcement requests.

Elements Detail:

Collection: Data collection is conducted transparently and lawfully, with explicit consent obtained when necessary. This includes various types of data such as transaction history and customer details, obtained through methods like API integrations.

Processing: Our data processing procedures adhere to strict security standards, with data processed for purposes like order fulfillment and customer support. Access to this information is restricted to authorized personnel with legitimate needs.

Storage: Data is securely stored in cloud servers with access controls in place to prevent unauthorized access. Regular data backups are performed to maintain data integrity and availability.

Use: Data usage is limited to the purposes for which it was collected, focusing on improving services and personalizing user experiences while prioritizing user privacy.

Sharing: In accordance with our policy, information is not shared with any external parties.

Disposal: Data disposal is conducted securely and irreversibly when no longer needed for its intended purpose or as per legal requirements, minimizing the risk of unauthorized access.

Obligations Towards Data Subjects: In addition to handling data responsibly, we have obligations to individuals, including informing them about data collection, processing, access, and providing avenues for modification, erasure, or correction of their data.

Actions: To uphold data protection, we are committed to restricting and monitoring access to sensitive data, ensuring transparent data collection procedures, training employees in online privacy and security measures, establishing secure networks, clear procedures for reporting breaches, and implementing data protection practices.

Disciplinary Consequences: Adherence to the principles outlined in this policy is mandatory, and any breach will result in disciplinary action and potential legal consequences.


Amazon Data Protection Policy

The Data Protection Policy (DPP) governs the handling of information, including its receipt, storage, use, transfer, and disposal via the Amazon Services API within our service, including the Seller Partner API. It applies to all systems involved in storing, processing, or managing data derived from the Amazon Services API, complementing the Amazon Services API Developer Agreement and the Acceptable Use Policy.

General Security Requirements

Aligned with industry-leading security practices, Caremax maintains physical, administrative, and technical safeguards, along with additional security measures. These measures aim to maintain the security and confidentiality of accessed, collected, used, stored, or transmitted information by a Developer and protect it from known or anticipated threats, accidental loss, alteration, disclosure, and unlawful processing. Developers commit to complying with various requirements, including:

1. Network Protection

Caremax implements network protection controls like firewalls, access control lists, and network segmentation to prevent unauthorized access. It also employs antivirus and anti-malware software on end-user devices, restricts public access to approved users, and provides comprehensive data protection and IT security training to all individuals with system access.

1.2 Access Management

Caremax establishes a formal user access registration process to assign access rights, unique IDs to individuals with computer access, and avoids generic or shared login credentials. It implements baselining mechanisms to ensure necessary user account access and enforces account lockout protocols. Additionally, it restricts employees and contractors from storing information on personal devices and promptly disables access upon employee termination.

1.3 Least Privilege Principle

Caremax implements fine-grained access control mechanisms, granting access to information based on the principle of least privilege and only on a "need-to-know" basis.

1.4 Credential Management

Caremax sets minimum password requirements, enforces password complexity, establishes password age policies, mandates multi-factor authentication (MFA), and limits access to API keys provided by Amazon to essential employees.

1.5 Encryption in Transit

Caremax mandates the encryption of all information in transit using secure protocols such as TLS 1.2+, SFTP, and SSH-2, both internally and externally, and implements data message-level encryption where channel encryption terminates in untrusted multi-tenant hardware.

1.6 Risk Management and Incident Response Plan

Caremax maintains a comprehensive risk assessment and management process, conducts regular reviews, promptly notifies Amazon of security incidents, investigates incidents thoroughly, and implements corrective measures to prevent recurrence.

1.7 Request for Deletion

Caremax commits to permanently and securely deleting information upon receiving deletion notices from Amazon, following industry-standard sensitization procedures, and providing written certification of secure destruction upon request.

1.8 Data Attribution

Caremax stores information in dedicated databases or employs mechanisms to tag and identify the origin of all data within databases containing information.

2 Additional Security Requirements for Personally Identifiable Information (PII)

Caremax ensures compliance with additional security requirements for PII, including data retention limitations, data governance policies, asset management practices, encryption at rest, secure coding practices, logging and monitoring procedures, vulnerability management, and audit and assessment protocols.


2.1 Data Retention

According to our company policy, Personally Identifiable Information (PII) is retained for no longer than 30 days after order delivery. This retention serves specific purposes such as order fulfillment, tax calculations, generating invoices, and meeting legal obligations. If retention beyond 30 days is mandated by law, we retain the data solely for compliance purposes. It's crucial to ensure that PII is always adequately protected, as highlighted in sections 1.5 ("Encryption in Transit") and 2.4 ("Encryption at Rest").

2.2 Data Governance

We are committed to creating, documenting, and adhering to a privacy and data handling policy for our applications or services. This policy dictates proper conduct and technical controls to manage and safeguard our information assets. To ensure compliance with regulations, we maintain records of data processing activities, especially concerning PII. Our company identifies and complies with privacy and security laws, implementing a privacy policy governing customer consent and data rights. We also assist Authorized Users with data subject access requests through technical and organizational processes.

2.3 Asset Management

We maintain a baseline standard configuration for our information system and update an inventory of software and physical assets, ensuring compliance with PII handling requirements. PII is not stored in removable media or personal devices without encryption, and data loss prevention controls are in place to monitor unauthorized data movement.

2.4 Encryption at Rest

All PII is encrypted at rest using robust cryptographic techniques accessible only to our company's processes and services, employing AES-128 or RSA with a 2048-bit key size or higher.

2.5 Secure Coding Practices

Sensitive credentials like encryption keys or passwords are strictly prohibited from being hardcoded within code or exposed in public repositories. Developers maintain separate test and production environments to enhance security and manage sensitive information properly.

2.6 Logging and Monitoring

We establish a robust logging system to detect security-related events across applications and systems, ensuring logs are regularly reviewed and access controls are enforced. PII is included in logs only when necessary for legal requirements. Logs are retained for a minimum of 90 days, and monitoring mechanisms detect any unauthorized extraction or presence of information.

2.7 Vulnerability Management

Developers maintain a plan for detecting and remediating vulnerabilities, conducting regular vulnerability scans and penetration testing. Changes to storage hardware are controlled, and procedures are in place to restore availability and access to PII in case of incidents.

3 Audit and Assessment

We maintain necessary records to validate adherence to policies and agreements, providing certification of compliance upon request. Amazon or an independent firm may conduct audits, and our company is expected to cooperate. Identified deficiencies or breaches must be rectified within an agreed timeframe, with remediation evidence provided upon request and approval from Amazon required before closing the audit.