Security

How we protect your data.

Security is foundational to how itervai operates. Our systems are designed to meet the requirements of the Amazon Services API Data Protection Policy and to exceed baseline expectations for data handling, access control, and incident response.

Infrastructure

All data is processed and stored within Amazon Web Services (AWS) infrastructure in the United States. We do not use third-party sub-processors for handling, processing, or storing Amazon seller or buyer data.

Our infrastructure is provisioned using infrastructure-as-code with version-controlled configurations. Changes to production infrastructure require review and approval before deployment.

Data Encryption

Encryption at Rest

All data is encrypted using AES-256. Personally Identifiable Information receives additional application-level encryption (AES-256-GCM) before database storage.

Encryption in Transit

All data transmitted between systems — including API calls, database connections, and client-facing interfaces — uses TLS 1.2 or higher.

Key Management

Encryption keys are managed through AWS Key Management Service (KMS) with automatic annual rotation. Access to keys is restricted by IAM policies with least-privilege enforcement.

Backup & Recovery

Encrypted database backups are stored in a geographically separate AWS region for disaster recovery. Backup integrity is verified regularly.

Access Controls

  • All personnel with access to production systems use unique identities with Multi-Factor Authentication (MFA) enforced
  • Access follows the principle of least privilege and is granted through role-based access control (RBAC)
  • Access is reviewed quarterly and revoked immediately upon role change or termination
  • Production data is accessible only through company-managed systems — personal devices cannot access customer or Amazon data
  • Administrative access to infrastructure requires separate credentials with additional MFA verification

Data Retention

  • Buyer PII from connected channels: Retained for 90 days from order delivery to support customer service workflows. After 90 days, buyer name and shipping address are automatically stripped; order metadata is retained in anonymized form.
  • Amazon SP-API seller data: Retained for the duration of the seller’s active authorization. Deleted within 30 days of authorization revocation or contract termination. We do not receive Amazon buyer PII through SP-API.
  • Account information: Retained for the duration of the active account. Deleted within 30 days of account closure, except where retention is required by law.

All data disposal uses secure deletion methods that render data unrecoverable.

Buyer PII Handling: itervai does not receive Amazon buyer PII through the Selling Partner API. Buyer PII received from connected sales channels (Shopify, TikTok Shop) for Multi-Channel Fulfillment routing is used solely to execute the seller’s fulfillment workflow and support the seller’s customer service operations. We do not use buyer PII for marketing, advertising, profiling, analytics, AI/ML training, or cross-seller aggregation.

Incident Response

In the event of a security incident involving customer or Amazon data:

  • Amazon is notified at security@amazon.com within 24 hours of detection
  • Affected clients are notified promptly with details about the nature and scope of the incident
  • Our incident response plan includes containment, investigation, remediation, and prevention procedures
  • The incident response plan is reviewed and tested regularly

Compliance

itervai complies with the Amazon Services API Data Protection Policy, the Acceptable Use Policy, and the Amazon Services API Solution Provider Agreement. Our practices include:

  • No Amazon buyer PII retention (we do not access Amazon buyer PII via SP-API); channel-originated buyer PII retention limited to 90 days post-delivery
  • Encryption of all PII at rest (AES-256) and in transit (TLS 1.2+)
  • No use of Amazon or connected-channel data for AI/ML model training
  • No sharing of Amazon or connected-channel data with third parties
  • 24-hour incident notification to Amazon
  • Quarterly access reviews and periodic penetration testing

Contact

To report a security concern or request information about our security practices:

Email: security@itervai.com