Security & Trust

All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are stored in dedicated key management systems and rotated periodically.

Least-privilege access for all employees and services. Multi-factor authentication on all accounts. Regular access reviews. Terminated employee access promptly disabled.

Ongoing vulnerability scanning. Periodic third-party penetration testing. Vulnerabilities remediated on a prioritized basis according to severity.

Segmented networks with intrusion detection and prevention. Anti-malware on all servers and endpoints, kept up to date. Continuous monitoring for credential exposure.

Centralized log collection from all systems handling marketplace data. Security logs retained in line with applicable compliance requirements. Continuous monitoring of security events.

All employees and contractors with access to customer data complete security awareness training. Background checks and signed confidentiality agreements for all personnel.

All six standard NIST IR phases — preparation, identification, containment, eradication, recovery, lessons learned — with procedures tailored to each incident category. Severity-based response SLAs from a 15-minute initial response for critical incidents to next-business-day for low-severity events.

A designated Incident Management Point of Contact (IMPOC) is reachable to coordinate response, with primary and backup coverage. Plan reviewed periodically and after any major infrastructure change. Tabletop exercises validate the plan in simulated scenarios.

Amazon: within 24 hours of detecting any security incident affecting Amazon information, in line with the Amazon Data Protection Policy.

EU supervisory authorities (GDPR): within 72 hours of confirming a personal data breach affecting EU residents.

Affected customers and marketplace partners: in line with applicable law and our contractual obligations.

To report a suspected incident or vulnerability, contact security@sellerfusion.io. Our IMPOC will respond within one business day.

Retained only as long as necessary, in line with the Amazon Data Protection Policy, then securely deleted following industry-standard sanitization processes.

Retained in line with applicable retention policies and regulatory requirements.

Retained in line with applicable compliance requirements for forensic purposes.

Same retention as primary data. Encrypted at rest using AES-256, geographically replicated.

Compliant with the Amazon Data Protection Policy, Amazon SP-API security control guidance, and the Solution Provider Agreement.

Compliant with the General Data Protection Regulation. 72-hour supervisory authority notification commitment for personal data breaches affecting EU residents.

Compliant with the California Consumer Privacy Act. California residents may exercise their privacy rights via privacy@sellerfusion.io.