Did you fill out the MWS security form?

I filled it out in March and didn’t get any negative feedback with my answers. Now I got the same.

This is the survey they sent me:

Quite daunting for a small company

Question
Acceptable Use
Do you use Personally Identifiable Information (PII) for any purpose other than Shipping labels and/or tax purposes? If so, please list additional use cases and explain them (e.g. customer profiles, marketing, buyer communication).
Please list any subsidiaries or additional benficiaries (e.g. additional business units, customers, vendors, other third-party solutions) that obtain access to Amazon MWS data due to your use as a Developer (other than application users).
Do you retrieve Amazon.com data from non-Amazon MWS sources? If yes, please specify the type of data and its source.
Network Protections
How is your infrastructure hosted (e.g. on-premise, AWS, non-Amazon cloud solution)?
How do you restrict network-level access to your infrastructure (web servers, database servers, endpoints, etc)?
Do you restrict public access to your database/file servers and desktop/developer endpoints? If so, how?
Access Management
Please describe your access management practices.
Have you assigned a unique ID (for logging and accountability) to each employee who has access to Amazon Information?
How often do you review (and baseline) access to Amazon Information?
Do you have a lockout mechanism in place when a malicious activity or log-in attempt is detected?
Do you keep an inventory of asset hardware and software that stores Amazon information?
Do you allow employees to store Amazon data on personal devices?
Do your access controls divide data access between PII and non-PII access?
Encryption in Transit
Are you encrypting all data-in-transit for all internal and external endpoints? Please specify any data transfers, internal or external, which are not encrypted.
Incident Response Plan
How does your incident response plan address:

1. What to do in case your servers/databases are hacked?
2. What to do in case an unauthorized access to customer data is detected?
3. Who to contact in case of an incident and what steps to follow?
4. What to do in case your servers leaked Amazon Information?
5. How to reach out to Amazon to inform them of the incident?
   Request for Deletion or Return
   In case of Amazon’s request for data deletion or return, do you have a mechanism in place to destroy Amazon-provided data?
   In case of request, how soon will you be able to destroy Amazon-provided data?
   Data Governance
   Do you have an external Privacy policy? If “Yes,” please provide the URL to your external Privacy policy.
   Encryption and Storage
   Are you encrypting all data-at-rest, including data backups?
   What protocol are you using to encrypt data-at-rest?
   Least Privilege Principle
   How does your organization follow the principle of least privilege to ensure that access to PII is granted on a “need-to-know” basis?
   Logging and Monitoring
   How are you generating logs?
   Are you logging security-related events (like access and authorization events, intrusion attempts, configuration changes, etc.)?
   Are you storing PII in logs?
   Do you have mechanisms in place to monitor the logs and trigger alarms in case of malicious activity?