Legal & Privacy

Maison Amiraé (trade name – brand), legal entity – Maison Amirae Ladies’ Garments Trading CO. L.L.C.
‍(“Maison Amiraé”, “we”, “us” or “Company”)
‍
‍1 Responsible Vulnerability Disclosure PolicyLast updated 26 May 2025We are committed to safeguarding the Maison Amiraé e-commerce platform, which runs on AWS servers and is fronted by Amazon CloudFront. If you discover a security weakness, please alert us before any public disclosure.
‍
◇ Single point of contact: info@maisonamirae.com
Use a subject such as [Vulnerability Report] and include a description, steps to reproduce and, where possible, proof-of-concept code.

Our response protocol
‍
Step Acknowledge receipt
Timeline within 72 hours
‍
Step Triage & CVSS scoring
Timeline immediately after acknowledgement

Step Fix plan & status updatesissued until remediation, with coordinated disclosure (if Timeline desired)We thank good-faith researchers publicly once a fix is deployed.

‍2 Customer Data-Processing Agreement (GDPR / UK GDPR / Swiss FADP)This DPA forms part of the Customer Terms of Service whenever Maison Amiraé processes Personal Data subject to European, UK or Swiss data-protection law.
‍
‍2.1 Definitions (abridged)

◇ Controller / Processor / Processing / Personal Data – as in Art. 4 GDPR.
◇ Security Incident – any breach leading to accidental or unlawful destruction, loss, alteration or unauthorised disclosure/access.
◇ Standard Contractual Clauses (SCCs) – the clauses in Commission Decision (EU) 2021/914. EUR-Lex
◇ EU-U.S. Data Privacy Framework (DPF) – adequacy decision of 10 July 2023; AWS is certified under the DPF, the UK extension and the Swiss-U.S. variant. Amazon Web Services, Inc.Amazon Web Services, Inc.

2.2 Roles & scope

◇ Customer = Controller.
◇ Maison Amiraé = Processor and processes Personal Data solely:

1. to provide and maintain the services;
2. on documented instructions from Customer;
3. to comply with legal obligations.

2.3 Hosting & sub-processing

◇ Primary hosting – The storefront, checkout and CMS run inside dedicated Amazon Web Services accounts located in AWS Regions in Ireland and Germany, with global asset delivery via Amazon CloudFront and other CDNs.
◇ Principal sub-processor – Amazon Web Services, Inc. (Seattle, USA), certified under the EU-U.S. DPF, UK extension and Swiss-U.S. DPF and offering a GDPR DPA that embeds the 2021 SCCs. Amazon Web Services, Inc.Amazon Web Services, Inc.
◇ A complete list of additional sub-processors is available on request via info@maisonamirae.com; we will give 30 days’ notice before engaging a new sub-processor.

2.4 International transfers

1. EEA / UK / CH → USA (AWS) – rely on the DPF certification (and the UK “data bridge” for UK data). Amazon Web Services, Inc.Amazon Web Services, Inc.
2. Other third-country transfers – governed by the modern 2021 SCCs with supplementary measures (TLS 1.3 in transit, AES-256 at rest, least-privilege IAM, documented transfer-impact assessments).
3. Where the SCCs conflict with this DPA, the SCCs take precedence.

2.5 Security measures & NIS2 alignmentMaison Amiraé implements ISO 27001-aligned controls on AWS: network segmentation, VPC firewalls, multi-factor authentication, vulnerability scans, quarterly penetration testing and continuous logging. Incident handling follows the accelerated timeline in Art. 23 NIS2: early warning within 24 hours and a full incident report within 72 hours. NIS 2 Directive
‍
2.6 Data-subject assistance
‍Upon request (info@maisonamirae.com) and considering the nature of processing, we will help Customer respond to access, erasure, portability or objection requests, conduct DPIAs and liaise with supervisory authorities.
‍
‍2.7 Retention & deletion
‍When the contract ends or on written instruction, Maison Amiraé will:

◇ erase active Personal Data within 30 days;
◇ wipe encrypted backups within 90 days,

unless a longer retention period is legally required (e.g., for tax compliance), in which case the data are isolated and protected.
‍
‍2.8 Audit rights
‍Once per 12-month period (or more frequently if required by a regulator), Customer may audit compliance via ISO 27001 / SOC 2 Type II reports or an on-site review of the AWS environment, subject to 30 days’ notice and mutual confidentiality.
‍
‍2.9 Liability & governing law
‍Nothing here limits either party’s liability toward data subjects under the GDPR or equivalent laws. Jurisdiction:
‍
Controller location EEA
Governing law & courts Law & courts of Customer’s Member State
‍
Controller location UK
Governing law & courts English law; courts of England & Wales
‍
‍Controller location Elsewhere
Governing law & courts As set in the underlying Agreement