SkuFx

Security

Security & Compliance

SkuFx is built to meet Amazon's Data Protection Policy (DPP) for Selling Partner API. Below are the technical controls we maintain.

Encryption at Rest

All Amazon seller data encrypted with AES-256-GCM. Database disks encrypted with LUKS.

Encryption in Transit

TLS 1.3 enforced on every endpoint. HSTS preload pending. Legacy SSL disabled.

Access Control

MFA required for all internal accounts (TOTP). No password-only access. Role-based permissions audited monthly.

Infrastructure Isolation

Production database not accessible from public internet. Bastion-only SSH, key-based only, no passwords.

Audit Logging

Every data access logged with user, timestamp, and IP. Logs retained 90 days minimum (1 year for admin actions).

Breach Notification

Committed under Amazon DPP to notify within 24 hours of confirmed breach.

Data retention

SP-API data (orders, FBA inventory, sales performance, and finances) is retained for as long as your active subscription. Upon revocation of SP-API access or account deletion, all SP-API data is permanently deleted within 24 hours.

Vulnerability disclosure

If you discover a security vulnerability, please email security@skufx.com with details. We acknowledge within 24 hours and aim to remediate critical issues within 7 days.

Authentication controls

  • Password minimum: 12 characters — uppercase, lowercase, digit, and special character required
  • Rotation: 365-day mandatory rotation; last 10 passwords cannot be reused
  • Lockout: account locked after 10 failed login attempts
  • MFA: TOTP enforced for all internal accounts
  • Session: HTTP-only Secure cookie, 30-day rolling expiry

Vulnerability response SLA

Critical (CVSS 9.0+)Resolved within 7 days
High (CVSS 7.0–8.9)Resolved within 30 days
Medium (CVSS 4.0–6.9)Resolved within 90 days

Scanning: GitHub Dependabot + Trivy container scanning on every build.

Multi-tenant data isolation

As a public solution provider serving multiple independent sellers, we enforce strict isolation:

  • PostgreSQL Row-Level Security on all seller data tables
  • Every query is scoped to a single seller_account_id
  • No cross-tenant data access is technically possible, even for SkuFx engineers
  • All engineering access to production data is audit-logged and requires documented justification

Sub-processors

See skufx.com/sub-processors for the complete, current list of third-party services we use to operate the platform.

We notify active customers at least 30 days before adding any new sub-processor that processes Amazon seller data.