Security & Compliance
SellerBlaze is built to meet Amazon's SP-API security standards. This page documents our security practices, data handling policies, and incident response procedures in compliance with Amazon's Developer Security Standards.
Last updated: March 2026 • Contact: support@sellerblaze.com
Sections
1. Credential Management
SP-API Security Standard 1.4Amazon SP-API Token Storage
All Amazon SP-API OAuth tokens (access tokens and refresh tokens) are encrypted at rest using AES-256-CBC with a unique random initialization vector (IV) per operation, applied at the application layer (Node.js crypto module) before storage in PostgreSQL. The encryption key is stored separately from the application database.
Encryption Key Management
Encryption keys are generated using cryptographically secure random number generators (Node.js crypto.randomBytes / OpenSSL). Keys are stored exclusively as server-side environment variables with restricted file permissions (chmod 600, owner-only read access) — never in source code, version control, or alongside the encrypted data they protect. Access to encryption keys is restricted to authorized infrastructure administrators only. Keys are rotated at minimum annually and immediately upon suspected compromise, employee offboarding, or significant infrastructure change. Rotation involves generating a new key, re-encrypting affected data, and securely destroying the old key material. A documented key management procedure is maintained internally and reviewed annually.
Password Security
User passwords are hashed using bcryptjs with a work factor of 12 rounds, never stored in plaintext or transmitted in clear form. SellerBlaze enforces a minimum password length of 12 characters with at least one uppercase letter, one lowercase letter, one digit, and one special character. Usernames, email addresses, and display names cannot be used as part of any password — enforced programmatically on registration and password change. Passwords expire every 90 days; the previous 5 passwords cannot be reused. Accounts are automatically locked after 5 consecutive failed login attempts within a 15-minute window. MFA is required for all administrative and server access.
Authentication Tokens
User sessions are managed via JSON Web Tokens (JWT) with a 15-minute expiry for access tokens and a 7-day expiry for refresh tokens. Tokens are invalidated on logout and regenerated on each session refresh.
Transport Security
All data in transit is protected by TLS 1.2+ (HTTPS). Plain HTTP connections are automatically redirected to HTTPS. SSL/TLS certificates are managed by Let's Encrypt with automatic renewal.
Internal Service Credentials
Database credentials, internal service secrets, and environment variables are stored as server-side environment variables, not in source code. The codebase does not contain hardcoded credentials.
2. Asset Management
SP-API Security Standard 2.3Infrastructure
SellerBlaze runs on a dedicated VPS (Virtual Private Server) hosted by OVH, a European cloud provider. The server is not shared with unrelated applications. Access to the server is restricted to SSH key-based authentication — password-based SSH login is disabled.
Access Control
Server access is limited to a single authorized administrator. There are no shared SSH keys. The application runs under a non-root service account with minimal permissions. Personal devices are prohibited from accessing production systems without endpoint security controls in place. USB and removable media are not used in any production workflow.
Endpoint Monitoring
The production server is monitored via automated system health checks and log-based alerting. Anomalous access attempts trigger automated alerts to the administrator. Failed SSH login attempts are tracked and blocked after repeated failures using fail2ban.
Software & Dependencies
Application dependencies are regularly reviewed for known vulnerabilities using npm audit and dependency scanning tools. The production environment runs the latest stable versions of Node.js and related runtime dependencies.
Data Inventory
We maintain a clear inventory of all data types processed: Amazon SP-API tokens, seller order data, financial events, and user account information. Each data type has defined retention and handling policies (see Section 3).
3. Data Retention & Backup
SP-API Security Standards 2.1 & 2.7Seller Data Retention
Amazon order data and financial events are retained for as long as the seller maintains an active SellerBlaze account to provide historical analytics. Upon account deletion, all associated data is permanently deleted within 7 business days.
Buyer PII Handling
Buyer Personally Identifiable Information (PII) received incidentally via SP-API (e.g., shipping postal codes used for zone estimation) is not stored in identifiable form. Postal codes are used transiently during fee calculation and are not retained as buyer-linked records. Any incidental PII in raw API responses is purged within 30 days of receipt.
SP-API Token Retention
Amazon SP-API OAuth tokens are retained only for as long as the seller account is connected to SellerBlaze. Tokens are permanently deleted when the user disconnects their Amazon account or deletes their SellerBlaze account.
Database Backups
The PostgreSQL database is backed up daily. Backups are encrypted at rest using AES-256 and retained for 30 days. Backups are stored on geographically separated AWS S3 storage (separate region from the primary server), ensuring data durability in the event of infrastructure failure. Recovery Time Objective (RTO) is 4 hours; Recovery Point Objective (RPO) is 24 hours. Backup restoration procedures are tested quarterly.
Data Deletion Requests
Sellers may request permanent deletion of all their data by emailing support@sellerblaze.com. Deletion requests are processed within 7 business days. Upon completion, a deletion confirmation is sent to the user's registered email address.
4. Logging & Monitoring
SP-API Security Standard 2.6Application Logging
The application maintains structured logs of all SP-API sync operations, authentication events, errors, and critical system events. Logs include timestamps, operation type, success/failure status, and error messages. Logs do not contain sensitive data such as API tokens, passwords, or buyer PII.
Access Logging
Web server access logs record incoming requests (IP address, endpoint, HTTP status, response time). These logs are used exclusively for security monitoring, debugging, and abuse detection. Access logs are retained for a minimum of 365 days in compliance with Amazon SP-API logging requirements.
PII Protection in Logs
Logs are designed to exclude personally identifiable information. API tokens, passwords, buyer names, and shipping addresses are never written to log files. Postal codes used for fee-zone estimation are logged only in aggregated, non-buyer-linked form. Log pipelines are reviewed periodically to ensure PII masking remains enforced.
Error Monitoring
Application errors and SP-API failures are logged with sufficient detail to diagnose and remediate issues. The development team reviews error logs regularly to identify and fix reliability or security issues.
Audit Trail
SP-API data sync events are logged with timestamps, account IDs, and data type synced. This creates an audit trail of when Amazon data was accessed and what was retrieved, supporting compliance with Amazon's data access logging requirements.
5. Vulnerability Management
SP-API Security Standard 2.7Static Analysis (SAST)
ESLint with eslint-plugin-security is configured for both backend (NestJS / TypeScript) and frontend (Next.js / React) codebases. The security ruleset detects unsafe regular expressions, eval-injection risks, insecure randomness, non-literal require/import, unsafe child_process usage, and buffer security issues. Husky pre-commit hooks automatically run the linter and npm audit on every commit, blocking commits that have high-severity vulnerability or security lint violations.
Dependency Scanning
All npm dependencies are audited using npm audit on every commit (via pre-commit hook) and on a weekly scheduled scan. Remediation timelines by severity: Critical — patched within 24 hours. High — patched within 7 days. Medium — patched within 30 days. Low — reviewed and scheduled in maintenance cycles.
Security Testing
The application is periodically reviewed for common web application vulnerabilities including SQL injection, cross-site scripting (XSS), authentication bypass, and OWASP Top 10 risks. All code changes affecting authentication, encryption, or Amazon API integration require manual security review before deployment. Input validation via class-validator is enforced on all API DTOs.
Security Updates
The server OS (Ubuntu 24.04 LTS) and system packages receive security updates automatically via unattended-upgrades. Node.js runtime is kept on the current LTS release. NestJS Throttler enforces rate limiting on all API endpoints. Nginx enforces TLS 1.2+ with strong cipher suites and blocks common attack patterns.
Reporting Vulnerabilities
If you discover a security vulnerability in SellerBlaze, please disclose it responsibly by emailing support@sellerblaze.com with the subject line "Security Vulnerability". We will acknowledge receipt within 48 hours and work to address the issue promptly.
6. Incident Response Plan
SP-API Security Standard 1.6Incident Classification
Security incidents are classified by severity: Critical (active breach, data exposure, credential compromise), High (potential data exposure, service disruption), Medium (policy violation, suspicious activity), Low (minor anomalies). Critical and High incidents trigger immediate response.
Response Plan
Our incident response follows a 5-step process: 1. Detect — identify the incident via monitoring or report. 2. Contain — isolate affected systems, revoke compromised credentials, block attack vectors. 3. Eradicate — remove malicious access, patch the vulnerability. 4. Recover — restore systems from verified clean backups; re-issue credentials. 5. Review — root cause analysis and controls update to prevent recurrence.
Detection & Containment
Upon detection of a security incident, the first priority is containment — isolating affected systems, revoking compromised credentials, and stopping the spread of any breach. For SP-API related incidents, affected Amazon OAuth tokens are immediately revoked and users are notified.
User Notification
In the event of a data breach affecting user data, affected users will be notified by email within 72 hours of the breach being confirmed. Notification will include the nature of the incident, data affected, steps taken, and recommended actions for the user.
Amazon Notification
In accordance with Amazon SP-API requirements, Amazon will be notified of any security incident involving SP-API data within the timeframes required by the SP-API Data Protection Policy. Reports are submitted to security@amazon.com and via the designated Amazon developer support channel within 24 hours of incident confirmation.
Post-Incident Review
Following any significant incident, a root cause analysis is conducted to identify the cause, assess impact, and implement preventive controls to avoid recurrence. Findings are used to update security procedures and controls.
IMPOC — Incident Management Point of Contact
The designated Incident Management Point of Contact (IMPOC) for SellerBlaze is reachable at: support@sellerblaze.com. This contact is available for security incident reporting, Amazon SP-API compliance inquiries, and data breach notifications.
Amazon SP-API Compliance Statement
SellerBlaze accesses Amazon seller data exclusively through the Amazon Selling Partner API (SP-API) under permissions explicitly granted by the authorizing seller via OAuth. All data access is read-only. We comply fully with Amazon's Acceptable Use Policy (AUP) and Data Protection Policy (DPP) for SP-API applications. Data retrieved via SP-API is used solely to provide analytics to the authorizing seller and is never shared with third parties, other sellers, or used for any secondary purpose.
For compliance inquiries or to report a security concern, contact us at: support@sellerblaze.com
Questions about our security practices? Contact us or email support@sellerblaze.com