Security & Compliance

Your Data Is Protected by Design

Every technical decision at BOPOWO starts with security. Here is exactly how we protect your Amazon seller data.

πŸ” AES-256 Encryption at RestπŸ”’ TLS 1.2+ in Transitβœ… Amazon SP-API CompliantπŸ›‘οΈ OAuth 2.0 Authorization
πŸ”

Data Encryption

  • AES-256 encryption for all credentials, OAuth tokens, and sensitive seller data stored at rest.

  • TLS 1.2 minimum (TLS 1.3 preferred) for all data in transit between your browser and BOPOWO, and between BOPOWO and Amazon's APIs.

  • OAuth refresh tokens stored encrypted in isolated credential vaults, separate from application databases.

  • Database-level encryption enabled on all production data stores.

πŸ”‘

Access Controls

  • All production systems require multi-factor authentication (MFA).

  • Least-privilege access: engineers do not have standing access to production data; access is time-limited and audit-logged.

  • Role-based access control (RBAC) across all internal systems.

  • Automated deprovisioning when team members change roles.

πŸ›’

Amazon API Security

  • BOPOWO is designed to connect to Amazon exclusively via official SP-API and Advertising API endpoints.

  • No scraping, no unofficial automations, no third-party Amazon data sources.

  • OAuth tokens are scoped to only the permissions you grant β€” we never request broader access than required.

  • You can revoke BOPOWO's access at any time from Amazon Seller Central β†’ Settings β†’ Authorized Applications.

  • All API calls are logged and anomaly-monitored.

πŸ—οΈ

Infrastructure Security

  • Production infrastructure hosted on enterprise cloud with SOC 2 Type II certification.

  • Private network segments isolate production from staging and development.

  • Web Application Firewall (WAF) and DDoS protection on all public endpoints.

  • Regular automated vulnerability scanning of dependencies and infrastructure.

  • Penetration testing conducted at minimum annually.

🚨

Incident Response

  • 24/7 security monitoring with automated alerting.

  • Documented incident response plan with defined escalation paths.

  • Amazon notified within 24 hours if an incident involves Amazon seller data (per Amazon's requirements).

  • Affected users notified within 72 hours for personal data incidents (GDPR Art. 33–34).

  • Post-incident reports shared with affected parties.

  • To report a security vulnerability: security@bopowo.com

βœ…

Amazon Policy Compliance

  • Amazon Selling Partner API (SP-API) developer application submitted and under review.

  • Compliant with Amazon Data Protection Policy (DPP).

  • Compliant with Amazon Acceptable Use Policy (AUP).

  • Compliant with Amazon Buyer Data Protection Policy.

  • Buyer PII (names, addresses) from Order data is never stored β€” displayed to sellers only.

  • All Amazon data used solely for the disclosed purpose of powering BOPOWO features.

Questions about our security practices?

Read our Privacy Policy or contact our security team β€” we are happy to answer any questions about how we protect your data.

Read Privacy PolicyContact Security Team