Data Protection & Security Policy

Amazon SP-API Compliance Documentation

Last updated: November 17, 2025

Executive Summary

RepriceLab is an Amazon SP-API solution provider committed to the highest standards of data protection and security. This document outlines our comprehensive security measures, compliance certifications, and operational practices that protect Amazon seller data and ensure compliance with Amazon's Data Protection Policy.

1. Infrastructure Security

1.1 Cloud Infrastructure

Provider: Amazon Web Services (AWS)

Certifications:

  • SOC 2 Type II compliant
  • ISO 27001 certified
  • PCI DSS Level 1 (via Stripe)
  • CCPA/CPRA compliant infrastructure

1.2 Network Security

  • VPC Isolation: Private Virtual Private Cloud with isolated subnets
  • Security Groups: Firewall rules restricting inbound/outbound traffic
  • DDoS Protection: AWS Shield Standard protection
  • WAF (Web Application Firewall): Protection against common web exploits
  • CDN: Content delivery with edge caching and SSL/TLS termination

1.3 Server Security

  • Operating System: Hardened Linux servers with automatic security patches
  • Access Control: SSH key-based authentication only (no password login)
  • Intrusion Detection: Automated monitoring for suspicious activities
  • Log Management: Centralized logging with 90-day retention

2. Data Encryption

✓ Data in Transit

  • • TLS 1.2+ for all HTTPS connections
  • • Perfect Forward Secrecy (PFS)
  • • Strong cipher suites only
  • • HSTS (HTTP Strict Transport Security)

✓ Data at Rest

  • • AES-256 encryption for databases
  • • Encrypted EBS volumes (AWS)
  • • Encrypted backups
  • • Encrypted log files

2.1 Key Management

  • AWS KMS: AWS Key Management Service for encryption key management
  • Key Rotation: Automatic annual key rotation
  • Access Control: IAM policies restricting key usage
  • Audit Trail: All key usage logged in CloudTrail

3. Amazon SP-API Data Protection

3.1 OAuth Token Management

Critical Security Measures

  • ✓ Refresh tokens encrypted using industry-standard encryption (AES-256)
  • ✓ Tokens stored in encrypted PostgreSQL database
  • ✓ Tokens never logged or exposed in error messages
  • ✓ Automatic token revocation upon account disconnection
  • ✓ Token expiration and renewal handled securely

3.2 SP-API Access Control

  • Least Privilege: Only requested permissions granted (listings, pricing, orders read-only)
  • Role-Based Access: User can only access their own connected stores
  • API Rate Limiting: Compliance with Amazon's SP-API rate limits
  • Request Validation: All SP-API requests validated before execution

3.3 Seller Data Handling

Data Minimization Principle

We collect and process only the minimum Amazon seller data required to provide repricing services:

  • Product listings (SKU, ASIN, price, inventory)
  • Competitive offers (for Buy Box analysis only)
  • Order history (read-only, for analytics)

We do NOT collect: Customer PII, payment details, or unnecessary seller data

4. Application Security

4.1 Authentication & Authorization

  • Password Security: Bcrypt hashing with cost factor 12 (64,000+ iterations)
  • Session Management: JWT (JSON Web Tokens) with HMAC-SHA256 signing
  • Token Expiration: Short-lived access tokens (1 hour), long-lived refresh tokens
  • OAuth 2.0: Standard OAuth flow for Amazon and Google authentication
  • CSRF Protection: State parameter validation in OAuth flows

4.2 Input Validation & Sanitization

  • SQL Injection Prevention: Parameterized queries via SQLAlchemy ORM
  • XSS Prevention: React automatic escaping, Content Security Policy (CSP)
  • API Input Validation: Pydantic schema validation on all API endpoints
  • File Upload Security: Type validation, size limits, virus scanning

4.3 API Security

  • Rate Limiting: 100 requests per minute per user
  • Request Throttling: Prevents abuse and DDoS attacks
  • API Versioning: Backward-compatible API changes
  • Error Handling: Generic error messages (no sensitive data leakage)

5. Monitoring & Incident Response

5.1 Security Monitoring

Automated Monitoring

  • • 24/7 server health monitoring
  • • Real-time intrusion detection
  • • Failed login attempt tracking
  • • Unusual API activity alerts

Logging & Auditing

  • • Centralized log aggregation
  • • 90-day log retention
  • • Audit trail for all admin actions
  • • Compliance logs (7-year retention)

5.2 Incident Response Plan

Security Incident Response Procedure

  1. Detection (0-1 hour): Automated alerts notify security team
  2. Assessment (1-4 hours): Severity assessment, impact analysis
  3. Containment (4-24 hours): Isolate affected systems, prevent spread
  4. Eradication (24-48 hours): Remove threat, patch vulnerabilities
  5. Recovery (48-72 hours): Restore services, verify security
  6. Communication: Notify affected users within 72 hours (CCPA/state breach notification laws)
  7. Post-Incident Review: Root cause analysis, preventive measures

5.3 Data Breach Notification

In the event of a data breach affecting Amazon seller data:

  • Amazon notified within 24 hours (as required by SP-API DPP)
  • Affected users notified within 72 hours (CCPA/state breach notification laws)
  • Regulatory authorities notified as required by applicable state laws
  • Public disclosure if legally required

6. Backup & Disaster Recovery

6.1 Backup Strategy

  • Automated Daily Backups: Full database backups at 2:00 AM UTC
  • Incremental Backups: Every 6 hours for critical data
  • Retention Period: 30-day rolling retention
  • Encryption: All backups encrypted with AES-256
  • Geographic Redundancy: Backups stored in multiple AWS regions
  • Testing: Monthly backup restoration tests

6.2 Disaster Recovery

Recovery Time Objective (RTO): 4 hours

Recovery Point Objective (RPO): 6 hours (max data loss)

Failover Strategy: Multi-region deployment with automatic failover

7. Personnel & Access Control

7.1 Employee Access

  • Background Checks: Criminal and employment verification for all staff
  • NDA Agreements: Mandatory confidentiality agreements
  • Security Training: Annual security awareness training
  • Least Privilege: Employees granted minimum necessary access
  • Access Reviews: Quarterly reviews of all user permissions

7.2 Production Access

  • MFA Required: Multi-factor authentication for all admin access
  • Jump Boxes: Bastion hosts for production server access
  • Audit Logging: All admin actions logged and reviewed
  • Time-Limited Access: Temporary credentials with automatic expiration

8. Compliance & Certifications

✓ Amazon SP-API DPP

Fully compliant with Amazon's Data Protection Policy

✓ CCPA Compliant

California Consumer Privacy Act

✓ CPRA Compliant

California Privacy Rights Act

✓ PCI DSS (via Stripe)

Payment Card Industry Data Security Standard

✓ SOC 2 Type II

AWS infrastructure certification

✓ ISO 27001

Information Security Management

9. Vulnerability Management

9.1 Security Testing

  • Automated Scans: Weekly vulnerability scans using industry-standard tools
  • Penetration Testing: Annual third-party penetration tests
  • Code Reviews: Security-focused code reviews for all changes
  • Dependency Scanning: Automated scanning for vulnerable dependencies

9.2 Patch Management

  • Critical Patches: Applied within 24 hours
  • High Priority: Applied within 7 days
  • Regular Updates: Monthly patch cycle for non-critical updates
  • Testing: All patches tested in staging before production deployment

10. Security Contact

Report Security Vulnerabilities

Email: repricelab@gmail.com

Subject Line: [SECURITY] Vulnerability Report

Response Time: Within 24 hours for critical security issues

We appreciate responsible disclosure of security vulnerabilities and will acknowledge and address all legitimate reports.

© 2025 RepriceLab. All rights reserved. | Privacy Policy | Terms of Service