Feb 23 2021
 ShopOMSAdmin ToolsSecurity

InfiPlex Security Overview

Last Updated: Apr 22, 2025

InfiPlex is an AWS Technolgy PartnerThis document is a security overview of the InfiPlex Inventory and Order Management System (OMS). InfiPlex is an Amazon Technology Partner, and our SaaS solution has passed Amazon’s Technical Baseline Review and the SP-API Amazon developer data security assessment. InfiPlex has also been approved as an Amazon Selling Partner Appstore application. As an approved Amazon App, we have passed all security requirements to pull and process PII Data.

InfiPlex Security Overview

User Logins | Amazon SP-API Security Review |
APN Application Review | PCI Scan
 


  • User Logins

    • Password minimum requirements
    • Device location security
    • Device level security
    • API limits – InfiPlex automatically monitors attempted logins and limits the number of attempts.
    • OMS URLs are not posted or marketed, requiring users to know the URL and have a valid user name and password to access the OMS site.
     
  • Amazon SP-API Security Team Review

    InfiPlex OMS has passed the SP-API Team's Developer Security Assessment. The most recent assessment was completed in April, 2025.

    The Amazon SP-API Developer Security Assessment is similar to an SOC2 assessment, and in some cases has more detailed requirements as they include specific AWS reviews and requirements.

    The Amazon Selling Partner API (SP-API) has stringent security requirements outlined in its Data Protection Policy (DPP) to ensure the protection of sensitive data, including Personally Identifiable Information (PII). Below is a comprehensive overview of the key security requirements for developers and integrators building SP-API applications. InfiPlex has passed all of these requirements.
     

    General Security Requirements

    These apply to all developers building SP-API applications:
    1. Network Protection:
      • Implement network firewalls and access control lists to deny unauthorized IP access.
      • Use network segmentation to split networks into smaller sub-networks for better access control and security.
      • Install antivirus and anti-malware software on all end-user devices with regular full system scans.
      • Restrict public access to approved users only and provide data protection and IT security training for all personnel with system access.  
    2. Access Management:
      • Enforce the principle of least privilege for user and service accounts to minimize access to sensitive data.
      • Require Multi-Factor Authentication (MFA) for all user accounts to protect against brute force attacks.
      • Regularly review and delete inactive user and service accounts.  
    3. Password Policy:
      • Passwords must be at least 12 characters, include a mix of uppercase, lowercase, numbers, and special characters, and exclude any part of the user’s name.
      • Set a minimum password age of 1 day and a maximum expiration of 365 days.
      • Password complexity can be managed using tools like AWS Directory Service or Microsoft Active Directory Group Policies.  
    4. Encryption:
      • Encrypt all Amazon Information and customer PII both at rest and in transit using Amazon-approved algorithms (e.g., AES or RSA).
      • Protect API keys provided by Amazon with encryption and restrict access to only necessary employees.
      • Use secure credential stores like AWS Secrets Manager instead of hardcoding sensitive credentials (e.g., API keys, secret keys, or tokens) in source code or public repositories.      
    5. Incident Response Plan:
      • Develop and maintain a documented incident response plan that includes roles, responsibilities, incident types, response procedures, and an escalation path to Amazon.
      • Notify Amazon within 24 hours of detecting a security incident via email to 3p-security@amazon.com.
      • Review the plan every six months and after major infrastructure changes, documenting lessons learned and maintaining a chain of custody for evidence.  
    6. Vulnerability Management:
      • Conduct vulnerability scans at least semi-annually and penetration tests annually.
      • Perform code vulnerability scans before releasing new code, features, or products.
      • Use tools like Amazon Inspector or third-party solutions (e.g., Kali Linux, Nessus, Burp Suite) for vulnerability scanning and penetration testing.
      • Ensure backups or snapshots are in place to restore PII access within hours in case of an incident.  

    Additional Security Requirements for Restricted Operations

    These apply to developers handling PII for specific tax or seller-fulfilled shipping purposes:
    1. Restricted Data Access:
      • PII access is granted on a need-to-have basis only for approved use cases.
      • Use Restricted Data Tokens (RDT) to access PII, which requires additional authentication and compliance with Amazon’s review process.  
    2. Data Governance and Retention:
      • Implement policies for data storage, retention, and disposal to ensure PII is handled securely.
      • Maintain strict access controls and logging for PII-related operations.  
    3. Enhanced Encryption and Logging:
      • Apply additional encryption measures for PII data stores (e.g., databases, block storage).
      • Log all access and operations involving PII to ensure traceability and compliance.  
    4. Architecture Review:
      • Undergo a detailed architecture review with Amazon’s SP-API Solutions Architecture team, including a demo of data flows and PII protection controls.
      • Provide comprehensive responses to security questions during the developer application process, especially for restricted roles.  
     
  • InfiPlex is an AWS Technolgy Partner InfiPlex is AWS Qualified Software

    Amazon Partner Network Application Review

    • The InfiPlex application has been fully vetted by Amazon to meet their SaaS requirements for applications.
    • InfiPlex is an Amazon Technology Partner and our SaaS solution has passed Amazon’s Technical Baseline Review
    • InfiPlex is AWS Qualified Software APN Technical Baseline Review
      > View Baseline Review Overview
    • Data Protection Policy & PII information
      > View Policy
    • Acceptable Use Policy for applications give access to Amazon Marketplace APIs
      > View Policy
    • Business Level Support - support with Amazon and immediate access to engineers
    • CloudTrail Root Account Logging – logging of access to all root systems to ensure security and system integrity
    • Identity and Access Management – controlling security access to administrators based on their roles and ensuring proper password encryption and limited access.
    • Backups and Recovery – Regular back-ups of databases and instances
    • Disaster Recover – Recovery Point Objective (RPO) and Recovery Time Objective (RTO) defined for all services
    • Cross Account Access – limiting access of any Amazon seller’s data
    • Personally Identifiable Information – PII data is encrypted in transit and deprecated 30 days after the order is shipped
       
     
  • Aperia PCI Scan Overview:

    Aperia PCI Scan services are a comprehensive Payment Card Industry (PCI) Data Security Standard (DSS) compliance and validation platform, designed to help merchants, payment providers, and SAAS providers meet PCI requirements efficiently. The Aperia quarterly PCI Scan includes complete penetration testing through automated scans to identify all known exploits that affect the industry.

    Network Security Scans:
    As an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council, Aperia conducts non-intrusive scans to remotely review networks and web applications based on external-facing IP addresses. These scans identify vulnerabilities in operating systems, services, and devices that hackers could exploit, without requiring software installation or performing denial-of-service attacks.

    Additional Features:
    Their services integrate with solutions like the SAQ Wizard, internal vulnerability scanning, antivirus and endpoint protection, PAN scanning, mobile scanning, and keylogging prevention to fulfill specific PCI requirements.