IntegTrade← Home

Data Security

Effective date: June 8, 2026 · Version 1.1

Our security controls align with Amazon's Data Protection Policy and enterprise SaaS practices. Amazon credentials are server-side only, encrypted at rest, and never exposed to browsers.

1. Security program

IntegTrade maintains a security program designed for a B2B SaaS platform handling Amazon Selling Partner API (SP-API) data. Our controls align with Amazon's Data Protection Policy (DPP), Acceptable Use Policy (AUP), and industry practices consistent with SOC 2 trust principles (security, availability, confidentiality). We do not represent that we hold a specific certification unless separately communicated in writing.

2. Architecture overview

Authorized data flows through the following layers:

  • Seller authorization — Amazon Login with Amazon (LWA) OAuth. IntegTrade never receives Amazon passwords.
  • Application tier — Next.js on Vercel. All SP-API calls execute server-side; secrets never ship to browsers.
  • Data tier — Supabase PostgreSQL with row-level security, separating tenant data by brand and user permissions.
  • Automation tier — n8n workflows execute approved mutations (listing publish, image upload, A+ Content) using encrypted refresh tokens.
  • Intel tier — Rainforest API for public competitor data; no seller tokens sent to intel providers.

3. Data classification

ClassExamplesHandling
RestrictedSP-API refresh tokens, LWA client secretsEncrypted at rest, server-only, rotation per Amazon policy
ConfidentialAmazon listings, catalog, A+ Content, account emailsEncrypted in transit and at rest, RLS, access logging
InternalApplication logs, metrics, pipeline metadataAccess restricted to operators, retained ≤12 months
PublicMarketing site, public competitor scrape dataNo authentication required, no seller tokens

4. Phase 1 SP-API scope (BrandOS)

  • Product listings (titles, bullet points, descriptions, backend keywords)
  • Catalog and product attributes (ASIN, SKU, variation themes, product types)
  • Listing images and media uploads
  • A+ Content modules
  • Inventory and listing status (read-only where applicable for listing workflow)

Buyer PII (restricted roles) is out of scope for phase 1 unless explicitly enabled in a future release with updated security review and policy disclosure.

5. Encryption

ControlStandard
Encryption in transitTLS 1.2+ for all public endpoints and provider connections
Encryption at restProvider-native encryption (AES-256 or equivalent) for database and object storage
Credential storageEnvironment variables and secrets managers — never in source code or client bundles
Key managementSeparation of production/preview secrets; annual rotation target for encryption keys

6. Identity & access management

  • Invite-only Supabase authentication for dashboard users
  • Role-based access (seller, agency, admin, developer) enforced server-side
  • Row-level security policies on multi-tenant data
  • Strong passwords required; MFA encouraged for administrative accounts
  • Principle of least privilege for production access
  • Amazon LWA credentials rotated every 180 days per Amazon requirements

7. Application security

  • Server-side validation on all API routes
  • No Amazon or SP-API credentials in client-side JavaScript
  • Rate limiting on public endpoints (e.g., waitlist)
  • Honeypot and abuse prevention on lead capture forms
  • Dependency monitoring and security patches applied on a risk-based schedule
  • Middleware-enforced authentication on dashboard routes; public legal pages explicitly allowlisted

8. Logging & monitoring

  • Application error tracking and uptime monitoring via hosting provider
  • Authentication and authorization failures logged
  • Amazon API errors logged without exposing tokens in log output
  • Alerting on anomalous error rates and deployment failures

9. Backup & availability

  • Database backups managed by Supabase with point-in-time recovery options
  • Infrastructure hosted on managed cloud providers with SLA-backed uptime targets
  • Disaster recovery: redeploy from version-controlled source; database restore from provider backups

10. Vendor management

Sub-processors are vetted for security posture before integration. Current providers:

ProviderPurposeLocation
Vercel Inc.Application hosting, CDN, serverless computeUnited States
Supabase Inc.PostgreSQL database, authentication, row-level securityUnited States (configurable region)
n8n GmbH / self-hostedWorkflow automation for approved Amazon API mutationsUnited States / EU (deployment-dependent)
Google LLC (Gemini)AI-assisted listing and intel generation via server-side automationUnited States
Rainforest APIPublic Amazon product page data for competitor intelligenceUnited States
Amazon.com, Inc.Selling Partner API, Login with Amazon OAuth, Advertising APIUnited States / global AWS regions

11. Incident response

Our incident response process includes:

  • Detection — monitoring, customer reports, provider alerts
  • Containment — credential revocation, access lockdown, patch deployment
  • Investigation — root cause analysis and impact assessment
  • Notification — affected customers and Amazon within 72 hours of confirmed breach involving personal data or Amazon Information, where required
  • Remediation — fix deployment and post-incident review

Report security vulnerabilities: admin@integtrade.com (subject: Security Report)

12. Data deletion

Upon Amazon authorization revocation or account closure, we delete or anonymize associated Amazon Information within 30 days unless retention is required by law or Amazon policy. See our Privacy Policy for full retention schedules.

13. Customer responsibilities

  • Maintain strong passwords and restrict account sharing
  • Revoke IntegTrade access when offboarding team members
  • Review listing changes before publish where your workflow requires approval
  • Notify us promptly of suspected unauthorized access

14. Contact

Security inquiries: admin@integtrade.com
21790 Philmont Ct, Boca Raton, FL 33428, USA