Apply for Restricted (PII) Roles in SP-API

This topic provides details about applying for PII roles in SP-API.



This information is for public SP-API developers.

After your Developer Profile has been submitted, it goes through three stages:

Stage 1: Business Criteria Review
As an initial step, we review the developer application on a variety of technical and business criteria including, business use-case, launch readiness, services offered that can be viewed on a public facing website, and supported geographies. If the developer fails at this stage we will reject the application and share a general denial blurb. The developers that meet these criteria must then go through rigorous security reviews with Amazon.

Stage 2: Information/Security Architecture Questions
This step focuses on your free-form responses on information/security controls in place. If there are gaps identified, developers will be asked to provide additional information. Once the developers are in compliance with our security policies on the form, they will be requested to provide detailed responses on fourteen additional security questions that are sent through an attachment.

Stage 3: Security architecture review (scheduled live meeting/demo)
In the final stage of evaluation, a live meeting is scheduled with the developer and a solution architect to review specific security topics based on the responses submitted. Upon completion of the meeting, if there are no open questions or security gaps, your Restricted access request will be approved. If more clarification or evidence is required, the developer must provide additional details before being considered for Restricted access. Note that all developers must make a successful call to Restricted API sections in order to maintain access to Restricted SP-API roles. Additionally, Amazon or Deloitte (independent audit company) may reach out to schedule a separate review (implementation phase) in 90+ days after the application has been running in production to confirm that data obtained from SP-API is handled in accordance with our policies.