Security at SellerOS
SellerOS handles sensitive seller and Amazon data. We align our controls with the Amazon SP-API Acceptable Use Policy and Data Protection Policy. Here is how we protect your data.
Encryption
TLS 1.2+ in transit everywhere. Sensitive secrets — including Amazon SP-API refresh tokens and MFA seeds — are encrypted at rest with AES-256-GCM before they touch storage.
Authentication & MFA
Unique accounts with bcrypt-hashed passwords. Time-based one-time-password (TOTP) multi-factor authentication is available on all accounts and recommended for any account that accesses Amazon data.
Least-privilege access
Role-based access control (owner / admin / analyst / viewer) scopes every action. Operators access tenant data on a need-to-know basis, and privileged actions are audit-logged.
Data minimization & retention
We store only the fields a feature needs. Buyer PII is deleted within 30 days of delivery, non-PII order data within 18 months, and security logs are kept at least 12 months.
Logging & monitoring
Activity is centrally logged with PII and credentials redacted at the source. Anomalies and impersonation events are tracked and reviewed.
Incident response
A documented plan covers detection, containment, eradication and recovery. Confirmed incidents affecting Amazon data are reported to Amazon within 24 hours.
Report a vulnerability
Found a security issue? Email security@selleros.app. We triage promptly and remediate critical issues within 7 days and high-severity issues within 30 days.
See also our Privacy Policy.