Security at SellerOS

SellerOS handles sensitive seller and Amazon data. We align our controls with the Amazon SP-API Acceptable Use Policy and Data Protection Policy. Here is how we protect your data.

Encryption

TLS 1.2+ in transit everywhere. Sensitive secrets — including Amazon SP-API refresh tokens and MFA seeds — are encrypted at rest with AES-256-GCM before they touch storage.

Authentication & MFA

Unique accounts with bcrypt-hashed passwords. Time-based one-time-password (TOTP) multi-factor authentication is available on all accounts and recommended for any account that accesses Amazon data.

Least-privilege access

Role-based access control (owner / admin / analyst / viewer) scopes every action. Operators access tenant data on a need-to-know basis, and privileged actions are audit-logged.

Data minimization & retention

We store only the fields a feature needs. Buyer PII is deleted within 30 days of delivery, non-PII order data within 18 months, and security logs are kept at least 12 months.

Logging & monitoring

Activity is centrally logged with PII and credentials redacted at the source. Anomalies and impersonation events are tracked and reviewed.

Incident response

A documented plan covers detection, containment, eradication and recovery. Confirmed incidents affecting Amazon data are reported to Amazon within 24 hours.

Report a vulnerability

Found a security issue? Email security@selleros.app. We triage promptly and remediate critical issues within 7 days and high-severity issues within 30 days.

See also our Privacy Policy.