S Seller Pilot
Request a demo Get started
Data protection

Data & Security

How we protect your data and Amazon Information across the platform — designed to comply with the Amazon Data Protection Policy and Acceptable Use Policy.

Last updated: 16 June 2026

1. Our security principles

Protecting selling-partner and customer data is fundamental to Seller Pilot. We follow a defense-in-depth approach built on four principles: encrypt everything, least-privilege access, collect only what we need, and delete when no longer required. These principles are embedded in how we design, build and operate the Service.

2. Encryption

  • In transit: all data is encrypted using TLS 1.2 or higher. Connections to the Amazon SP-API and to our application use HTTPS only.
  • At rest: all stored data, including databases and backups, is encrypted using AES-256.
  • Secrets & tokens: API credentials and OAuth tokens are stored in a dedicated, encrypted secrets manager with restricted access, and are never logged in plaintext.

3. Access control

  • Role-based access control (RBAC) ensures employees can access only the data required for their role.
  • Multi-factor authentication (MFA) is enforced for administrative and production access.
  • Least privilege: production access is granted on a need-to-know basis, reviewed regularly, and revoked promptly when no longer needed.
  • Audit logging: access to sensitive systems and Amazon Information is logged and monitored.

4. Data minimization

We request only the SP-API roles required to deliver the features a customer enables, and we retrieve only the data needed for those features. We do not store payment card numbers. Where buyer Personally Identifiable Information (PII) is needed for order processing, we limit its collection, use and retention strictly to that purpose.

5. Infrastructure security

  • Hosted with reputable cloud providers operating certified data centers (e.g., SOC 2 / ISO 27001 certified facilities).
  • Network segmentation, firewalls and security groups isolate production systems.
  • Automated patching and dependency monitoring reduce exposure to known vulnerabilities.
  • Regular backups with encryption and tested restoration procedures.
  • Continuous monitoring and alerting for anomalous activity.

6. Data retention & deletion

Data typeRetention
Buyer PII (e.g., shipping address)No longer than 30 days after order delivery, unless legally required.
Order, inventory, pricing & financial dataFor the duration of the customer relationship, to provide the Service.
Account & contact dataFor the duration of the account; deleted on request after closure.
Logs & audit recordsRetained for a limited period for security and compliance.

When a customer closes their account or revokes authorization, we delete or anonymize their selling-partner data within 90 days, except where retention is required by law. Customers may request data deletion at any time via our Contact page.

7. Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery and post-incident review. In the event of a security incident affecting Amazon Information, we will notify Amazon and affected parties as required by the Amazon Data Protection Policy and applicable law, generally within 24 hours of confirming a qualifying incident.

8. Security governance

  • Security responsibilities are clearly assigned within the team.
  • Employees receive security and data-handling training and are bound by confidentiality obligations.
  • Sub-processors are vetted and contractually required to maintain appropriate safeguards.
  • Policies are reviewed and updated on a regular basis.

9. Amazon Data Protection Policy compliance

Our handling of Amazon Information is designed to comply with the Amazon Data Protection Policy and Acceptable Use Policy. Specifically, we:

  • Access Amazon Information only with selling-partner authorization, for the sole purpose of providing the Service;
  • Encrypt Amazon Information in transit and at rest;
  • Restrict and log access to Amazon Information;
  • Do not sell, share with unauthorized parties, or use Amazon Information for advertising or buyer profiling;
  • Retain PII no longer than necessary and delete it within the periods described above;
  • Maintain an incident response and breach notification process.

Independence notice: Seller Pilot is an independent software provider and is not affiliated with, sponsored by, or endorsed by Amazon.com, Inc. or its affiliates.

10. Report a security issue

If you believe you have found a security vulnerability or have a concern about how we handle data, please contact us immediately at guyue1592@gmail.com. We take all reports seriously and will respond promptly.