Your Data Security Is Not Negotiable
SellerVault implements defense-in-depth security controls to protect your Amazon account data. As an official Amazon SP-API Developer, we follow strict data handling and compliance standards.
We handle our own 8-figure Amazon business data on this platform — your security is our security.
Compliance Status
Amazon SP-API Compliance
Official Amazon SP-API Developer. All data access follows Amazon's Acceptable Use Policy and Data Protection Policy.
Amazon Advertising API
Authorized Amazon Ads API Partner. Advertising data stored securely and not shared with third parties.
Amazon Terms of Service
All operations comply with Amazon TOS. No automated case submissions, listing modifications, or unauthorized Seller Central actions.
Data Encryption in Transit
TLS 1.2/1.3 encryption on all connections. HSTS preload enforced. No unencrypted data transfer.
Access Logging & Audit
Comprehensive request/response logging, user activity audit trail, and real-time access monitoring.
Process Isolation
Application processes run under non-root user accounts with memory limits. Web server runs under unprivileged www-data user.
Network Protection & Security Controls
Multiple layers of security protect your data from unauthorized access, from the network perimeter through the application layer.
Firewall & Network Security
- Default-deny inbound firewall policy (UFW)
- Only ports 22, 80, 443 publicly accessible
- Application server ports blocked from external access
- Intrusion detection with automatic IP blocking (Fail2ban)
- Database and cache services bound to localhost only
Encryption & Transport Security
- TLS 1.2/1.3 enforced for all data in transit (older protocols disabled)
- Amazon API refresh tokens encrypted at rest using AES-256-GCM
- HSTS with preload directive (1-year max-age, includeSubDomains)
- Automated SSL certificate renewal (Let's Encrypt)
- All third-party API calls exclusively over HTTPS
- HTTP requests automatically redirected to HTTPS (301)
Authentication & Access Control
- JWT-based authentication required on all API endpoints
- Access tokens expire in 15 minutes, refresh tokens in 7 days
- Passwords: minimum 12 characters, uppercase, lowercase, number, special character required
- Passwords hashed with bcrypt (12 salt rounds), never stored in plaintext
- Multi-factor authentication (TOTP) support planned for all accounts with access to Amazon seller data
- Role-based access control (admin, member, viewer)
- Access for terminated employees revoked promptly upon separation
- CSRF protection via double-submit cookie pattern
Rate Limiting & DDoS Protection
- Multi-tier rate limiting: nginx-level and application-level
- Per-tenant request limits based on subscription tier
- Burst detection and automatic throttling
- Authentication endpoints rate-limited to 5 req/s per IP
- 429 Too Many Requests response with Retry-After headers
Security Headers & Browser Protection
- Content Security Policy (CSP) restricting script/style/connection sources
- X-Frame-Options: DENY (prevents clickjacking)
- X-Content-Type-Options: nosniff (prevents MIME sniffing)
- Permissions-Policy: camera, microphone, geolocation disabled
- Referrer-Policy: strict-origin-when-cross-origin
Vulnerability Management
- Dependency vulnerability scanning via npm audit
- Critical vulnerabilities remediated promptly upon discovery
- Regular security updates applied to all system components
- Code review required for all production changes
Input Validation & Injection Prevention
- Schema validation on all API inputs via Zod
- SQL injection prevention via parameterized queries (Drizzle ORM)
- String length limits (10,000 chars), array limits (1,000 items)
- Null byte removal and object depth limits (10 levels)
- XSS prevention through CSP and output encoding
Credential Management
Our password and credential management policies meet Amazon's Data Protection Policy requirements for length, complexity, storage, and lifecycle management.
Password Complexity Requirements
All passwords are validated against these requirements at registration, admin user creation, password change, and password reset. Passwords that do not meet the policy are rejected.
- Minimum length: 12 characters
- Must contain at least one uppercase letter (A-Z)
- Must contain at least one lowercase letter (a-z)
- Must contain at least one number (0-9)
- Must contain at least one special character (!@#$%^&*() etc.)
- Must not contain the user's name or email address
Password Storage & Transmission
- Hashed with bcrypt using 12 salt rounds before storage
- Never stored in plaintext — not recoverable by anyone, including staff
- Transmitted exclusively over HTTPS (TLS 1.2/1.3)
- HTTP requests automatically redirected to HTTPS (301)
- Password history hashes retained for reuse prevention only
Password Lifecycle Policies
- Password history: cannot reuse any of the last 10 passwords
- Minimum password age: 24 hours between password changes
- All sessions revoked upon password change (force re-authentication)
- Account lockout after repeated failed login attempts
- Password reset tokens are single-use and expire within 24 hours
Session & Token Management
- JWT access tokens expire after 15 minutes
- Refresh tokens expire after 7 days
- Refresh tokens stored as cryptographic hashes (not plaintext)
- CSRF protection via double-submit cookie pattern
- TOTP-based multi-factor authentication available for admin accounts
- Admins can reset MFA for team members if a device is lost
Data Handling & Privacy
Clear commitments on how we access, store, isolate, and protect your data.
Data Access
All seller data is accessed exclusively through Amazon's official SP-API and Advertising API using OAuth 2.0 authorization. We never see or store Amazon account passwords.
Data Isolation
Each seller's data is stored in isolated tenant partitions. Multi-account plans (Agency tier) maintain strict data segregation — each client's data is stored separately and never mixed or aggregated across accounts.
Data Residency
All application data is stored on dedicated servers located in North America. Database services are bound to localhost and are not accessible from external networks.
Data Retention
Account data is deleted within 30 days of account deletion request. SP-API and Advertising API data is retained for up to 18 months for historical analytics. Usage and security logs are retained for 12 months minimum, in compliance with Amazon's Data Protection Policy. Amazon marketplace PII is automatically purged within 30 days of order delivery.
No Data Aggregation
We do not aggregate data across sellers, resell Amazon data, or provide data to third parties for any purpose. Each seller's data is used exclusively to provide analytics and services to that seller.
No Unauthorized Actions
SellerVault does not modify listings, change prices, or take any automated action on Amazon Seller Central. Reimbursement claims are filed manually through Seller Central's standard case submission process, only after seller review and approval of identified discrepancies.
Employee Access Controls
Access to seller data is restricted to authorized personnel only on a least-privilege basis. Database access is restricted to senior engineering staff with production access justification. Access for terminated employees is revoked promptly upon separation.
Data Processing Agreement (DPA)
SellerVault acts as a data processor on behalf of Selling Partners (data controllers). A Data Processing Agreement is available upon request for enterprise customers and where required by applicable law (including GDPR Article 28). Contact privacy@sellervault.io to request a DPA.
Data Deletion
Sellers may request complete deletion of their data at any time. All personal and seller data is permanently deleted within 30 days of request. Amazon API tokens are immediately revoked upon account disconnection. Backup copies are purged within 90 days.
Third-Party Services
Third-party service providers (hosting, payment processing, email) receive only the minimum data necessary for their function. Database is self-hosted -- no third-party database services. We do not share, sell, or provide seller data to any third party for their own purposes.
Intrusion Detection & Security Tooling
Fail2ban intrusion detection is deployed on production systems for automated IP blocking. Security updates are applied regularly to all system components.
API Credential Management
Amazon SP-API refresh tokens are encrypted using AES-256-GCM before storage. OAuth tokens are automatically refreshed and old tokens are invalidated.
Service Level Commitments
Our operational targets for availability, support, and incident response.
Application availability target, excluding scheduled maintenance windows. Maintenance is performed during low-traffic hours with advance notice.
Target first response time for support inquiries via email. Priority support available on Growth plans and above.
Target frequency for syncing latest data from Amazon SP-API. Actual sync times depend on Amazon API availability.
Amazon notified within 24 hours of confirmed breach. Affected Selling Partners notified within 72 hours with breach details and remediation steps.
Security and access logs retained for a minimum of 12 months, in compliance with Amazon's Data Protection Policy requirements.
Incident Response Procedure
Our structured approach to detecting, containing, and recovering from security incidents.
Detection & Triage
Continuous monitoring and alerting systems (Fail2ban, access logs, rate limiting) detect anomalies in real time. Manual review confirms incident severity.
Containment
Immediate isolation of affected systems within 1 hour of confirmed incident. Compromised credentials are rotated. Firewall rules are tightened as needed.
Notification
Amazon is notified within 24 hours of confirmed breach discovery. Affected Selling Partners are notified within 72 hours. Notification includes: nature of the breach, data affected, and remediation steps. Designated Incident Management Point of Contact (IMPOC) available 24/7 for security incident coordination. IMPOC contact: security@sellervault.io.
Remediation
Root cause analysis, system hardening, and preventive measures are implemented. Systems are restored from verified backups where needed.
Documentation
Full incident report is created and retained for a minimum of 3 years. Lessons learned are incorporated into security procedures.
Our Commitments
What We Do
- Access data only through Amazon's official SP-API with OAuth authorization
- Store each seller's data in isolated tenant partitions
- Encrypt all data in transit with TLS 1.2/1.3 and sensitive credentials at rest with AES-256-GCM
- Enforce strong password requirements (12+ characters, complexity rules)
- Plan to enforce multi-factor authentication (TOTP) for all accounts
- Restrict employee access on a least-privilege basis with audit trails
- Require seller approval before any action is taken
- Reimbursement claims filed manually through Seller Central (TOS-compliant)
- Maintain comprehensive audit logs of all system access
- Provide data deletion within 30 days of account closure
- Notify Amazon within 24 hours and users within 72 hours of confirmed incidents
- Provide Data Processing Agreements (DPA) upon request
What We Never Do
- Aggregate data across unrelated sellers
- Sell, share, or provide seller data to third parties
- Submit cases or claims to Amazon without seller authorization
- Modify listings, prices, or account settings without explicit approval
- Store Amazon account passwords (OAuth only)
- Access data beyond what's authorized by the seller
- Use seller data for competitive purposes
- Expose database or internal services to external networks
Cantelmi E-Commerce · 521 E 4th St, Bethlehem, PA 18015
For security inquiries: security@sellervault.io · Privacy: privacy@sellervault.io