Security & Amazon DPP / AUP Control Statements

This page provides labelled answers to each Amazon Data Protection Policy (DPP) and Acceptable Use Policy (AUP) control SellerSync is required to address. Each section states whether the control is already implemented, implemented before production SP-API launch, or not applicable.

AUP 4.6 — Data Sharing

Status: already implemented. SellerSync shares Amazon Information only with: (a) the authorising merchant via the SellerSync UI; (b) Lovable Cloud (AWS ap-southeast-2 Sydney) as hosting/database/edge-function sub-processor; (c) Shopify, only the buyer name, shipping address and line items required to create a fulfilment for an Amazon FBM order the merchant chose to route through their own Shopify store; and (d) Amazon SP-API for shipment confirmation and tracking. No Amazon Information is shared with advertising networks, analytics providers, AI/LLM vendors, data brokers or any other third party.

AUP 4.1 — Restricted Role / PII Justification

Status: already implemented. SellerSync requests the Merchant-Fulfilled Shipping (Restricted PII) role solely so the merchant's own warehouse or 3PL can pick, pack, label, ship, and confirm tracking for Amazon seller-fulfilled orders. SellerSync uses restricted order delivery fields only to create authorised fulfilment tasks for Amazon seller-fulfilled orders and return carrier/tracking confirmation to Amazon. Buyer PII is not used for marketing, CRM, retargeting, profiling, audience building, review solicitation, or any non-Amazon communications, and is purged within 30 days of order delivery.

DPP 1.1 — Network Protection

Status: already implemented. The application is hosted in AWS ap-southeast-2 (Sydney) via Lovable Cloud. The PostgreSQL database sits behind the managed Lovable Cloud / Supabase boundary; there are no publicly exposed database ports. No developer or desktop endpoint stores Amazon Information. All inbound traffic is HTTPS only.

DPP 1.4 — Credential Management

Status: implemented before production SP-API launch. Engineering accounts will require minimum 12-character passwords, MFA, and SSO. SP-API LWA refresh tokens, Shopify access tokens, and database/service credentials are rotated at least quarterly, and immediately on personnel change or suspected compromise. Service credentials are stored in a managed secret store and never committed to source control.

DPP 2.1 — Data Retention, Backups, RTO/RPO

Status: implemented before production SP-API launch. Buyer PII is deleted within 30 days after order delivery. Non-PII Amazon data is retained ≤ 18 months. Security and audit logs are retained for at least 12 months. Before production SP-API launch, SellerSync will maintain encrypted backups in a geographically separated backup location with documented RTO/RPO and quarterly recovery testing. Target recovery objectives: RTO 4 hours, RPO 15 minutes.

DPP 2.2 — Data Governance

Status: already implemented. Public, versioned policies are published at /compliance/data-protection, /compliance/amazon-data, /compliance/privacy, and this page. Policies are reviewed at least annually by the Data Protection Officer (Jared Sherwood).

DPP 2.3 — Asset Management / Personal Devices

Status: implemented before production SP-API launch. Amazon Information is never stored on personal devices. Before production SP-API launch, production access will be restricted to managed engineering workstations only, USB mass storage will be disabled, SSO + MFA will be enforced, and unusual access patterns will generate alerts to Jared Sherwood.

DPP 2.4 — Encryption at Rest / Key Management

Status: already implemented. AES-256 at the managed-storage layer for PostgreSQL data and backups, provided by Lovable Cloud's managed infrastructure. Underlying key management and rotation are handled by the managed cloud provider. TLS 1.2+ in transit (RSA-2048 / ECDSA P-256). Application-layer credentials (LWA, Shopify, DB) are rotated at least quarterly.

DPP 2.5 — Secure Coding / PII in Testing

Status: already implemented. Real Amazon buyer PII is never used in development, QA, or staging environments. Test workflows use synthetic or sanitised datasets only. Code review is required for all changes touching Amazon Information.

DPP 2.6 — Logging and Monitoring

Status: implemented before production SP-API launch. Access to Amazon Information is logged and retained for at least 12 months. Logs are reviewed using automated alerting and bi-weekly manual review. Anomalous access patterns alert the Incident Management Point of Contact (Jared Sherwood, security@sellersync.pro). A documented incident investigation workflow is followed for any suspected event.

DPP 2.7 — Vulnerability Management / Remediation Tracking

Status: implemented before production SP-API launch. Dependency scanning (npm audit and the Lovable security scanner) is run regularly, and continuous scanning will be in place before production SP-API launch. Remediation SLAs by severity: Critical within 7 days, High within 30 days, Medium within three months. An independent security review will be performed annually and tracked to closure.

DPP 2.7 — Runtime and Development Lifecycle Remediation

Status: implemented before production SP-API launch. Runtime alerts feed into the same remediation tracker as build-time scanner findings. Before production SP-API launch, production deploys will go through CI with dependency and lint checks; failed checks will block the deploy. Hotfix path documented and owned by Jared Sherwood.

Architecture review evidence

SellerSync maintains evidence for Amazon architecture review, including SP-API data-flow diagrams, subprocessor list, retention/deletion workflow, incident response procedure, vulnerability remediation tracker, access review records, and backup restore test records.

Incident contacts

Incident Management Point of Contact: Jared Sherwood — security@sellersync.pro
Data Protection Officer: Jared Sherwood — privacy@sellersync.pro
Support: support@sellersync.pro
Operating entity: Miles Kay Australia LTD, ABN 90 372 903 515, Australia.

Operated by Miles Kay Australia LTD, ABN 90 372 903 515, Australia. SellerSync.pro is an independent software application and is not endorsed by, sponsored by, or affiliated with Amazon. Support: support@sellersync.pro · Privacy / DPO (Jared Sherwood): privacy@sellersync.pro · Security incidents: security@sellersync.pro.

Home · Features · Pricing · About · Amazon data use · Data protection · Security · Privacy · Terms · Delete my data · Contact