Amazon Selling Partner API (SP-API) Compliance Statement
Overview
This page provides a complete and transparent overview of how Enreship LLC ("Enreship," "we," "us," or "our") complies with the Amazon Selling Partner API (SP-API) Data Protection Policy, Acceptable Use Policy, and technical security requirements.
This compliance statement applies exclusively to Amazon-related data processing and is separate from our general Privacy Policy, Data Processing Agreement, and Security Policy.
Table of Contents
Purpose of This Page
Amazon requires all Public Developers and integrators to maintain a publicly accessible page that clearly explains:
- What Amazon data we access
- How we store, process, use, retain, and protect that data
- How we comply with SP-API security requirements
- Who we share Amazon Information with
- Our logging, monitoring, and incident-response practices
- Our credential, vulnerability, and risk-management controls
- Our data deletion and retention policies
This page fulfills those requirements.
Types of Amazon Data We Access
Enreship accesses Amazon Information only after explicit authorization from the seller. Depending on the roles granted by the merchant, the types of data may include:
2.1 Non-PII Order Data
- • Amazon order IDs
- • SKU, ASIN, product identifiers
- • Order status, purchase date, fulfillment channel
- • Item quantities, prices, taxes, promotions
- • Shipment status and tracking information
2.2 Restricted PII (Shipping-Related Only)
Enreship only requests Restricted Data (PII) required to generate shipping labels, fulfill orders, and return tracking updates to Amazon:
- • Recipient name
- • Shipping address
- • Phone number (if available)
- • Email only where Amazon supplies it for shipping-related purposes
2.3 Data We Never Access
- • Buyer payment information
- • Buyer Amazon account information
- • Customer messages
- • Amazon credentials or passwords
- • Any data outside the scopes explicitly granted by the merchant
How Enreship Uses Amazon Information
Amazon data is used only for operational fulfillment purposes, including:
- Importing orders into Enreship
- Generating shipping labels
- Transmitting shipping data to carriers
- Returning tracking numbers and shipment events to Amazon
- Synchronizing order statuses
- Warehouse receiving, storage, pick-pack-ship workflows (if seller uses Enreship Fulfillment Network)
- Analytics such as cost per shipment, carrier delivery performance, and inventory movement (always aggregated or de-identified where possible)
We do not use Amazon data for:
- Advertising
- Cross-context behavioral profiling
- Selling or monetizing data
- Building unrelated datasets
- Marketing to customers
- Any purpose not permitted by the SP-API Data Protection Policy
Data Storage & Encryption
4.1 Encryption in Transit
All Amazon Information is transmitted using TLS 1.2 or higher, including:
- API calls to Amazon
- Data sent to/from carriers
- Internal service-to-service communication
- Dashboard access by merchants
4.2 Encryption at Rest
All Amazon Information stored by Enreship is encrypted at rest using:
- AES-256 block-level encryption
- Encrypted database volumes
- Encrypted secrets vault for API tokens and credentials
4.3 Where Data Is Stored
Amazon Information is stored exclusively on secure cloud infrastructure:
Data is never stored on employee devices or removable media.
Data Retention
5.1 PII Retention
Personally Identifiable Information received from Amazon (recipient name, address, phone) is retained only for as long as necessary to:
- Fulfill the shipment
- Provide tracking
- Resolve delivery issues, disputes, or returns
- Meet Amazon audit or operational requirements
After this, PII is:
- Deleted, or
- Anonymized to remove all identifiers
5.2 Backups
Backups containing Amazon Information:
- Use AES-256 encryption
- Are stored in secure AWS backup infrastructure
- Follow automated rotation and expiration schedules
- Are not accessible to unauthorized personnel
Data Sharing (AUP Section 4.6 Compliance)
Enreship does not sell or share Amazon Information with third parties except where necessary to operate the service.
We share Amazon data only with:
6.1 Carriers (UPS, USPS, FedEx, DHL, OnTrac, Amazon Shipping)
Only shipment-required data is shared:
- • Recipient name
- • Shipping address
- • Phone (if required)
- • Package details
6.2 Infrastructure Providers
These vendors process data only on Enreship's behalf:
- • AWS (hosting, storage, databases)
- • CloudFront (CDN)
- • Logging and monitoring systems
- • Encrypted email delivery (transactional)
- • Customer support tools
All are contractually bound to confidentiality and restricted processing.
6.3 No Other Sharing
We do not share Amazon Information with:
- • Advertisers
- • Data brokers
- • Analytics companies unrelated to Enreship
- • Third parties for marketing
Logging, Monitoring & Intrusion Detection (DPP 2.6)
Enreship maintains extensive security logging and monitoring, including:
Logs are:
- Encrypted at rest
- Access-controlled
- Retained only as long as operationally and legally required
Centralized monitoring detects:
Risk Management & Incident Response (DPP 1.6)
Enreship maintains a documented Incident Response Plan that includes:
8.1 Detection
Automated systems alert on:
- • Unauthorized access attempts
- • Credential misuse
- • Excessive API failures
- • Abnormal data-access events
- • Service degradation
8.2 Containment
Immediate actions include:
- • Revoking tokens
- • Blocking IP ranges
- • Isolating compromised systems
- • Locking affected accounts
8.3 Eradication & Recovery
- • Patching vulnerabilities
- • Validating system integrity
- • Rotating all credentials
- • Restoring from encrypted backups
8.4 Notification
For any confirmed incident involving Amazon PII:
- • Amazon is notified without undue delay
- • Affected merchants are informed
- • A detailed forensic log summary is provided
Credential Management (DPP 1.4)
Enreship enforces strict credential policies:
- Minimum password length & complexity
- Multi-Factor Authentication (MFA) strongly recommended
- Access tokens stored only in encrypted vaults
- No token stored in code repositories
- Developer access restricted via role-based IAM policies
- Zero-production-access policy for unauthorized employees
Vulnerability Management (DPP 2.7)
Enreship maintains comprehensive vulnerability-management processes:
- Automated dependency scanning
- Weekly security scans
- Static Application Security Testing (SAST)
- Infrastructure vulnerability scanning
- Penetration tests performed periodically
- Tracked remediation workflow (ClickUp)
- Critical vulnerabilities patched immediately
- High-severity items follow strict SLAs for mitigation
Data Deletion Upon Seller Request
A seller may request deletion of:
- All Amazon Information
- Tokens and authorizations
- Historical logs containing identifiable data
Upon request:
- All account-bound Amazon Information is deleted or anonymized
- All refresh tokens and SP-API authorizations are revoked
- Backups naturally expire following retention policies
Employee Access Controls
Employee access is tightly controlled:
- Only authorized personnel may handle Amazon data
- All employees undergo security and data-handling training
- All internal systems require MFA
- Production access is restricted through IAM roles
- No employee may extract or store Amazon Information externally
Seller Controls
Sellers control:
- Which roles and permissions Enreship receives
- When integration tokens are revoked
- What data is imported
- How long their account and data remain active
A seller may disconnect Enreship at any time using Amazon's authorization page.
Compliance With Amazon Policies
Enreship complies fully with:
- Amazon SP-API Data Protection Policy
- Amazon Acceptable Use Policy
- Amazon Developer Agreement
- Amazon Marketplace Policies regarding PII
- OAuth-based secure authorization flows
- Annual security assessments required by Amazon
Contact for SP-API Compliance
For Amazon SP-API compliance questions:
Enreship LLC
Address
727 Hylton Rd
Pennsauken, NJ 08110
United States