Security

Your Amazon data is treated like bank-level assets — because it is.

Amazon Credentials

  • We never see or store your Amazon password
  • Access is granted only through Amazon's official OAuth flow
  • Refresh tokens are encrypted at rest with AES-256 and stored in a private Supabase vault

Encryption

  • All data in transit: TLS 1.3 (enforced)
  • All data at rest: AES-256 encryption (database + backups)
  • Tokens are never logged, written to disk unencrypted, or visible in logs

Infrastructure

  • Hosted on Supabase (SOC 2 Type II, ISO 27001, HIPAA-eligible)
  • Backend runs on Railway with private networking and automatic security updates
  • Frontend served via Vercel with built-in WAF and DDoS protection

Access Controls

  • Only the founder has access to production encryption keys
  • All admin actions require MFA + hardware key
  • IP allow-listing and rate limiting on all API endpoints

Incident Response

  • 24-hour detection & notification policy
  • Any suspected breach involving Amazon data is reported to security@amazon.com within 24 hours (per SP-API requirements)
  • Documented, tested incident response plan reviewed every 6 months

Data Minimization & Deletion

  • We only pull the reports required to calculate reimbursements
  • No buyer PII is ever requested or stored
  • On cancellation or request: refresh token is revoked instantly and all seller data is permanently deleted within 24 hours

Compliance

  • Fully compliant with Amazon SP-API Data Protection Policy
  • Regular third-party penetration tests and vulnerability scans

We built ReclaimFBA the same way we protect our own 7-figure seller accounts —

paranoid, minimal, and locked down.

Security Questions?

Email security@reclaimfba.net anytime.

Contact Us