SECURITY
How we keep your Amazon data safe.
AMZBoost handles Amazon Selling Partner data for the brands we operate and the clients we serve. This page lays out the controls we run, the standards we hold, and how to report a problem.
Last reviewed: May 11, 2026
OUR PRACTICES
The controls behind every Amazon account we touch.
Every Amazon Selling Partner integration goes through these controls. No exceptions.
Encryption everywhere
TLS 1.2 or higher in transit, AES 256 at rest on database and backup storage. Keys are managed by our cloud provider's key management service with documented rotation.
Multi factor authentication
Every internal account that touches Selling Partner data requires multi factor authentication. No shared logins, no exceptions, including admin accounts.
Role based access
Staff access is granted by job function under the principle of least privilege. Production database access requires bastion authentication and is fully audit logged.
Documented incident response
A written incident response plan with named responders, severity tiers, and a six month review cadence. Incidents involving Amazon data are reported to security@amazon.com within 24 hours of detection.
Secure development life cycle
All code changes go through peer review. Dependencies are scanned for known vulnerabilities and patched within 14 days of high severity disclosures. Static analysis runs on every commit.
No secrets in code
Production credentials live in an encrypted secrets manager, never in source repositories or client side applications. Development environments use synthetic data only.
Network segmentation
Production runs in an isolated virtual private cloud. Database access is restricted to application servers within the VPC. Firewall, IDS, and web application firewall layers in front of every public surface.
Audit logging
Every access to Selling Partner data is logged with timestamp, user, action, and target. Logs are immutable, retained for 12 months, and reviewed monthly for anomalies.
Deletion on request
Sellers can request immediate deletion of their data at any time. Completed within 30 days, confirmation sent in writing. Default retention after deauthorization is 90 days, with backups purged within an additional 30 days.
AMAZON COMMITMENTS
What we commit to under Amazon's Selling Partner API agreement.
Eight commitments mapped to Amazon's Acceptable Use Policy and Data Protection Policy for Selling Partner API developers.
We operate firewalls, intrusion detection and prevention, antivirus and antimalware, and network segmentation across all production systems.
Access to Amazon Information is restricted to staff who need it for their role. Each role's permission set is documented and reviewed quarterly.
All Amazon Information is encrypted using TLS 1.2 or higher anywhere it travels, including between our application and Amazon's Selling Partner API endpoints.
A written plan with defined roles, severity tiers, six month internal review cadence, and 24 hour internal notification on detection.
For any incident involving Amazon Information, we notify Amazon's security team at security@amazon.com within 24 hours of detection.
12 character minimum, complexity requirements, multi factor authentication required, 365 day rotation, no shared accounts.
Passwords, encryption keys, and API tokens are stored in an encrypted secrets manager. Never in public repositories, never shared between staff, never hardcoded in applications.
We publish the full subprocessor list in our Data Protection Policy and update it when subprocessors change.
REPORT A SECURITY ISSUE
See something that looks wrong? Tell us directly.
We acknowledge security reports within 24 hours. We do not retaliate against researchers who report vulnerabilities in good faith and follow responsible disclosure practices. PGP available on request.
Email security@amzboost.com →
