Security & data protection

SellerPulse is built on the principle that seller data must be secure, private, and used only to deliver the Service. This page describes the controls and practices we apply today to protect your data, including data accessed via the Amazon Selling Partner API.

We intentionally only list controls that are in place today. Where industry-standard items are not yet shipped, we don't claim them — we'd rather you trust the list than discover an asterisk later.

1. Infrastructure

  • Production runs on managed cloud infrastructure in the EU (Hetzner Cloud, Falkenstein region).
  • All services sit behind a managed cloud firewall plus a host-level firewall (ufw); only HTTPS (443) and SSH (port 22, key-only) are reachable from the public internet.
  • TLS certificates are issued and auto-renewed by Let's Encrypt via Caddy.
  • The marketing website is served by Cloudflare with global edge caching and DDoS protection.

2. Encryption

  • All data in transit is encrypted with TLS 1.2 or higher (TLS 1.3 preferred).
  • Amazon SP-API refresh tokens are encrypted at rest with AES-256-GCM using a dedicated encryption key that is never logged.
  • Other sensitive fields (shipping credentials, accounting integrations, AI provider tokens) are encrypted at rest with AES-256-GCM using separate, per-data-class keys, so a compromise of one key does not expose the others.
  • Customer passwords are hashed with bcrypt — never stored in plaintext, never reversible.
  • Cloud volume storage is encrypted at rest by the cloud provider.

3. Authentication and access

  • Customer accounts use JWT-based authentication with short-lived access tokens.
  • Changing your password immediately invalidates all previously issued tokens.
  • Sensitive actions (password change, account deletion, SP-API disconnect) are rate-limited to prevent brute-force and abuse.
  • Production server access is restricted to SSH key authentication only — password login is disabled.
  • Application access to customer data is scoped by tenant: every query is bound to the seller account that owns the data.

4. Amazon Selling Partner API data handling

  • We use Amazon SP-API in accordance with Amazon's Acceptable Use Policy and Data Protection Policy.
  • We request only the SP-API roles necessary to deliver the features you have enabled.
  • Read-only access by default; write operations require explicit per-feature opt-in.
  • SP-API data is used solely to operate the Service for the customer who provided it. It is never sold, never used to train AI models, and never shared with third parties for marketing or profiling.
  • Amazon buyer personally identifiable information (PII) is not stored unless strictly required by a service feature for which Amazon has granted us the corresponding restricted SP-API role.
  • You can revoke SP-API access at any time. Doing so immediately invalidates and deletes our stored refresh tokens.

5. Application security

  • Strict input validation on all API endpoints.
  • Rate limiting on authentication, password change, and other sensitive endpoints.
  • OAuth state validation with short-lived (15-minute) one-time tokens to prevent CSRF on SP-API connection flows.
  • Security response headers on every page: HSTS with preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and a Permissions-Policy that disables sensors and payment APIs.
  • Secrets and API keys are stored as environment variables on the production host with restrictive file permissions, never committed to source control.

6. Backups and data retention

  • Daily automated PostgreSQL backups stored on encrypted cloud storage.
  • 14-day backup retention before automatic purge.
  • Active customer account data is retained for the duration of the account.
  • On account closure, customer data is deleted within 30 days, except where retention is legally required (e.g., tax records).
  • SP-API refresh tokens are deleted immediately on disconnection.

7. Incident response

  • If a security incident affects your data, we will notify you within 72 hours of confirming the incident, in line with applicable law.
  • Vulnerability reports are accepted at the address below and acknowledged within two business days.

8. Compliance

  • PCI-DSS compliance for payments is maintained via Stripe; SellerPulse does not store or process raw payment card data.
  • Amazon SP-API Data Protection Policy compliant.
  • GDPR-aligned data handling for EEA, UK, and Swiss customers — see our Privacy Policy for the full description of your rights and our data processing.
  • CCPA / CPRA-aligned for California residents.

Report a security issue

We appreciate the security research community. If you believe you've discovered a vulnerability, please report it responsibly to info@getsellerpulse.com. We aim to acknowledge reports within two business days. Please do not publicly disclose the issue until we've had reasonable time to investigate and remediate.

Read our Privacy Policy for the legal framework that governs how we handle your data.