SellerAide
Sign In

Security

Last Updated: July 4, 2026

SellerAide is operated by Pikewood LLC. This page summarizes how we protect your account and the data you entrust to us, including any marketplace account you connect. Our internal security and data-handling policies are reviewed at least annually. We do not request or store Amazon buyer personal data.

1. Hosting & infrastructure

The application runs on Vercel (US, Oregon) with our database, authentication, and file storage on Supabase (Postgres on AWS US West 2, Oregon). Both providers maintain SOC 2 Type II / ISO 27001 attestations and encrypt data at rest. The full list of providers is on our Sub-processors page.

2. Encryption

  • In transit: TLS 1.2+ across all connections (TLS 1.3 at the edge), with HSTS.
  • At rest: AES-256 for the database and file storage.
  • Tokens: OAuth/refresh tokens for connected marketplaces and accounting integrations (including QuickBooks Online) are additionally encrypted at the application layer with AES-256-GCM, using keys held separately from the database and namespaced per provider.

3. Multi-tenant isolation

Every customer's data is isolated by Postgres Row-Level Security on every multi-tenant table. One seller can never read another seller's listings, accounting records, uploaded documents, or marketplace tokens. Backend service-role access is limited to webhooks and scheduled jobs and is logged.

4. Access control

Administrative/operator accounts require multi-factor authentication and follow least-privilege; there are no shared accounts. We perform periodic access reviews and revoke access promptly on role change or departure. Customer passwords are managed by Supabase Auth with a strong policy and lockout.

5. Secrets management

API keys and encryption keys are stored as environment secrets, never committed to source, with pre-commit secret scanning. Keys are rotated on a schedule and immediately on suspected compromise or personnel change.

6. Secure development & vulnerability management

Code lives in a private repository with a protected main branch and CI gates (type-check, lint, tests, build) on every change. We run automated dependency and static-analysis scanning and patch on a severity-based schedule (critical issues first). Database migrations are append-only. We intend to commission an independent penetration test before any public app-store listing.

7. Logging & monitoring

Application and access logs are centralized and retained for at least 12 months; access to connected-marketplace data is tagged and retained. We alert on authentication anomalies, error surges, and unexpected service-role activity (via Sentry). Logs exclude plaintext secrets and mask OAuth tokens.

8. Incident response

We maintain a documented incident-response plan with a named contact and defined notification timelines — including notifying Amazon at security@amazon.com within 24 hours of a confirmed incident affecting Amazon data, notifying Intuit within 24 hours of a confirmed incident affecting QuickBooks data, and notifying affected individuals and regulators as required by GDPR/CCPA. Report a security concern to security@selleraide.com.

9. Marketplace & buyer data

Our Amazon Selling Partner API integration is scoped to your own catalog, listings, listing issues, listing-eligibility status, A+ Content, fee estimates, and — under the non-buyer-PII roles you authorize — your own order-financial and settlement summaries. Data retrieved through your SP-API connection is never placed in a shared or cross-seller cache. Our product-research features additionally use product-level market data from Keepa GmbH; only product identifiers are sent to Keepa — never personal, account, or seller data. We do not request or store Amazon buyer names, addresses, contact details, or payment data. The only buyer-identifying data we ever hold is the recipient name and shipping address you choose to upload in your own shipping-carrier CSV (e.g. Pirate Ship) to match postage to your orders — stored privately and per-seller, never sent to an AI provider, and never aggregated.

10. AI providers

Content you send to our AI providers (Anthropic Claude by default, Google Gemini as an alternate) is processed under paid commercial API terms; your inputs and outputs are not used to train their models. Data pulled from marketplace APIs is never sent to an AI provider — only seller-authored listing text and the documents you upload for extraction.

11. More

See our Sub-processors, Data Retention, and Privacy Policy. Responsible disclosure reports are welcome at security@selleraide.com.

© 2026 SellerAide, a product of Pikewood LLC. All rights reserved. · support@selleraide.com

PrivacyTermsCookiesSub-processorsSecurityData RetentionAcceptable UseRefundsAffiliatesContact