SP-API Data Protection & Security Policy

BFarm treats all data received through the SP-API as Amazon Information under the Amazon SP-API Data Protection Policy. BFarm operates a Selling Partner API integration offered to multiple Amazon sellers under managed-service agreements; each authorized seller is a separate BFarm customer; each grants their own LWA OAuth from their own Seller Central account; BFarm operates the integration on the seller's behalf within the scope of the seller's written service agreement. This page documents our data handling practices, security controls, incident response procedures, sub-processor arrangements, and organizational-change notification procedures required by Amazon.

All SP-API data is processed on a managed-platform stack — Vercel Edge Network (SOC 2 Type II) for hosting, Vercel-managed datastores with AES-256 at-rest encryption via AWS KMS for persistence, plus application-layer AES-256-GCM on SP-API refresh tokens. Each seller's authorization and Amazon Information is technically isolated from every other seller's authorization — no cross-seller aggregation, no resale, no enrichment with non-Amazon sources. Amazon is notified within 24 hours of any confirmed security incident and within 30 days of any material organizational change. A documented Risk Assessment is performed at least annually. The Incident Response Plan covers monitoring and detection, triage and classification, containment and recovery, 24-hour reporting to Amazon, and handling of database hacks, unauthorized access, and data leaks. Security contact: security@bfarm.top.

  • Purpose and Scope: applies to all Amazon Information received via SP-API
  • Governance: security contact security@bfarm.top; roles documented in section 2 of this policy
  • Organizational Change Notification: Amazon notified within 30 days of material changes
  • Risk Assessment: annual formal review plus continuous change-triggered reviews
  • Incident Response Plan: monitoring, triage, containment, eradication, recovery, post-incident review
  • Database Hack / Unauthorized Access / Data Leak: covered under section 5.5 of this policy; 24-hour Amazon notification
  • 24-Hour Breach Reporting: confirmed security incidents reported to Amazon within 24 hours via security@bfarm.top
  • Data Handling and Minimization: no customer PII retrieved or stored; incidental PII discarded within 30 days
  • Encryption: TLS 1.2+ in transit (Vercel-managed certificates with HSTS preload); AES-256 at rest at the storage layer (AWS KMS) plus application-layer AES-256-GCM on SP-API refresh tokens; encryption keys held in Vercel Environment Variables scoped per environment
  • LLM Processing: no large-language-model provider is a sub-processor of Amazon Information; no buyer PII is shared with any LLM
  • Access Control: least-privilege service accounts; MFA required for all human admin access
  • Personnel Security: background checks and confidentiality agreements for personnel with SP-API access
  • Sub-Processors: Vercel (hosting + managed datastores), Cloudflare, Let's Encrypt, Google Workspace — documented in section 10
  • Cross-Border Transfers: SCCs in place for EU/EEA personal data
  • Audit and Record-Keeping: access logs and incident records retained per section 11
  • Primary security contact for this policy: security@bfarm.top
Explore Services See Case Studies Read Academy Book a Strategy Call Request Free Audit

Contact

FAQ

How quickly can results appear? Technical indexing changes can be visible within days, while non-branded organic growth typically requires several weeks of execution and iteration.