Security
Security & Compliance
SkuFx is built to meet Amazon's Data Protection Policy (DPP) for Selling Partner API. Below are the technical controls we maintain.
Encryption at Rest
All Amazon seller data encrypted with AES-256-GCM. Database disks encrypted with LUKS.
Encryption in Transit
TLS 1.3 enforced on every endpoint. HSTS preload pending. Legacy SSL disabled.
Access Control
MFA required for all internal accounts (TOTP). No password-only access. Role-based permissions audited monthly.
Infrastructure Isolation
Production database not accessible from public internet. Bastion-only SSH, key-based only, no passwords.
Audit Logging
Every data access logged with user, timestamp, and IP. Logs retained 90 days minimum (1 year for admin actions).
Breach Notification
Committed under Amazon DPP to notify within 24 hours of confirmed breach.
Data retention
SP-API data (orders, FBA inventory, sales performance, and finances) is retained for as long as your active subscription. Upon revocation of SP-API access or account deletion, all SP-API data is permanently deleted within 24 hours.
Vulnerability disclosure
If you discover a security vulnerability, please email security@skufx.com with details. We acknowledge within 24 hours and aim to remediate critical issues within 7 days.
Authentication controls
- Password minimum: 12 characters — uppercase, lowercase, digit, and special character required
- Rotation: 365-day mandatory rotation; last 10 passwords cannot be reused
- Lockout: account locked after 10 failed login attempts
- MFA: TOTP enforced for all internal accounts
- Session: HTTP-only Secure cookie, 30-day rolling expiry
Vulnerability response SLA
Scanning: GitHub Dependabot + Trivy container scanning on every build.
Multi-tenant data isolation
As a public solution provider serving multiple independent sellers, we enforce strict isolation:
- PostgreSQL Row-Level Security on all seller data tables
- Every query is scoped to a single
seller_account_id - No cross-tenant data access is technically possible, even for SkuFx engineers
- All engineering access to production data is audit-logged and requires documented justification
Sub-processors
See skufx.com/sub-processors for the complete, current list of third-party services we use to operate the platform.
We notify active customers at least 30 days before adding any new sub-processor that processes Amazon seller data.