SP-API Security and Compliance Overview

As a Selling Partner API (SP-API) developer, you must ensure that your application meets Amazon's Data Protection Policy (DPP) requirements, passes mandatory data security assessments, and maintains secure access to SP-API services. These security frameworks protect your application from common threats like credential theft, data breaches, and malware attacks. They also establish the foundation for handling sensitive seller data responsibly.

Without these controls, your application risks failing Amazon's compliance audits, losing API access privileges, and exposing your organization to security vulnerabilities. These vulnerabilities can compromise both your systems and the seller data that you protect.

Security requirements for all SP-API developers

To protect seller data and maintain API access, implement the following essential security controls:

• Safeguarding Sensitive Credentials: To prevent credential theft and unauthorized access, don't hardcode credentials. Make sure to store credentials securely. Search your code for hardcoded keys, passwords, and tokens.
• Network Protection Guidance: To block external attacks and malware, make sure to implement firewalls, anti-malware, and secure connections.
• Key Security Control Guidance: To ensure that only authorized personnel can access your systems, establish user access controls.
• Protect Amazon SP-API Applications with Incident Response: To minimize damage from security incidents, implement a 24-hour notification plan.
• Logging and Monitoring for Amazon API Applications: To detect security issues and support investigations, maintain a 90-day minimum log retention and test your alerting systems.

Security requirements for PII access

To meet enhanced data protection requirements when your application handles personally identifiable information (PII), apply the following additional security measures:

• Vulnerability Management: To identify security weaknesses before attackers do, conduct 180-day vulnerability scans and yearly penetration tests.
• Protect Amazon API Applications with Data Encryption: Protect PII even if systems are compromised.
• Protect Amazon API Applications with Data Retention and Recovery: To minimize PII exposure and meet regulatory requirements, enforce a 30-day deletion rule and verify backup encryption.

Specialized security implementation guides

Leverage the following specialized tools and services to streamline security implementation, automate compliance assessments, and access advanced SP-API functionality for your specific business needs.

• Amazon Selling Partner API Guard Implementation Guide: To automatically scan AWS data for security compliance with Amazon's Data Protection Policy, deploy Amazon Selling Partner API Guard. Get serverless self-service assessments, remediation recommendations, and secure findings reports within 24 hours.
• VAT Calculation Service: To provide VAT calculation services and invoicing functionality for Amazon Business sellers, enroll in Amazon's VAT Calculation Service (VCS). Enable VAT-exclusive pricing and increasing product visibility with Downloadable VAT Invoice badges in supported EU stores.
• Amazon Seller Data Access: Programmatically access Amazon seller data including: listings, orders, inventory, payments, and End User Data Reports for professional selling accounts and authorized third parties.