Skip to content
BuyCast
Security

Your credentials. Your data. Your rules.

We hold your Amazon SP-API credentials and your financial data. Here's how we protect both — and how we expect to be held accountable.

Credential vault

SP-API credentials are stored in AWS Secrets Manager with per-tenant isolation. The application role cannot read raw secrets — it vends short-lived tokens at request time. Secrets never touch source control.

Database isolation

PostgreSQL Row-Level Security with FORCE on every tenant-scoped table. Every query carries a `tenant_id` claim. The application role is not `rds_superuser` and cannot bypass RLS.

Encryption

At-rest encryption on RDS. TLS 1.2+ everywhere (1.3 by default). Database connections require SSL. Secrets encrypted with AWS KMS. Customer-managed KMS keys available on Enterprise.

Access control

RBAC with admin / account_manager / viewer roles. Every mutation is audit-logged with user id, IP, and source. Platform-admin impersonation is gated behind a second flag and fully logged.

Backups & recovery

Point-in-time recovery enabled on RDS. Daily snapshots with 7-day minimum retention. Cross-region snapshot copies on Enterprise.

Compliance

GDPR data handling today (EU data stays in US-East until EU region launch). Custom DPA available for Enterprise. Amazon Selling Partner API Data Protection Policy attestations on /legal/amazon-data-protection.

Responsible disclosure

Found a security issue? Tell us.

We respond within one business day, triage within three, and credit researchers by default.

Please do not publicly disclose before we've had a chance to remediate. If you need PGP, email and we'll provide the public key. Enterprise customers can request our security whitepaper during procurement.

Security questions from procurement?

Our DPA, subprocessor list, and Amazon Data Protection page answer most of them. For anything else, email security and we’ll respond.

Email securityView DPA