Data Policy & Security Practices

AINANU maintains documented incident response procedures for any security event affecting seller data or SP-API integrations. Our process covers detection, containment, eradication, recovery, and post-incident review.

• All suspected data incidents are logged, assessed, and escalated within 24 hours of detection
• Affected sellers are notified promptly in the event of any confirmed data breach or unauthorised access
• Root cause analysis is conducted following any incident and documented for review
• Amazon is notified of any incident affecting SP-API data in accordance with developer policy requirements
• Incident logs are retained for a minimum of 12 months

For security incidents or vulnerability disclosures contact: niall@ainanu.org

AINANU applies strict data minimisation and retention principles to all personally identifiable information (PII) accessed through SP-API integrations.

• PII accessed via SP-API is used solely for the contracted operational workflow — no secondary use
• PII is not stored beyond the period required to complete the specific operational task
• Upon contract termination, all seller PII is permanently deleted within 30 days
• No PII is transferred to, shared with, or accessible by any third party
• Data processing is limited to the minimum necessary to fulfil the contracted service
• Sellers may request confirmation of data deletion at any time by contacting niall@ainanu.org

All systems that access or process Amazon SP-API data are protected by layered network security controls in accordance with Amazon's data protection policy requirements.

• All data in transit is encrypted using TLS 1.2 or higher — no unencrypted transmission of seller data
• All data at rest is encrypted using AES-256 or equivalent
• SP-API endpoints are accessed only from controlled, authenticated infrastructure
• Access to systems handling seller data is restricted by IP allowlisting where applicable
• All external API calls are logged and monitored for anomalous activity
• Regular security reviews are conducted on all infrastructure handling seller data
• Dependencies and libraries are kept up to date and monitored for known vulnerabilities

AINANU applies strict credential management practices for all SP-API access tokens, keys, and authentication credentials.

• Unique credentials are issued per seller account — no shared access tokens between clients
• All credentials are stored in encrypted secret management systems, never in code or plain text
• MFA is enforced on all accounts and systems with access to seller credentials
• Access tokens follow the principle of least privilege — scoped to the minimum required roles only
• Credentials are rotated regularly and immediately upon any suspected compromise
• Former team members' access is revoked immediately upon offboarding
• All credential access is logged and auditable