Last Updated: Apr 22, 2025
This document is a security overview of the InfiPlex Inventory and Order Management System (OMS). InfiPlex is an Amazon Technology Partner, and our SaaS solution has passed Amazon’s Technical Baseline Review and the SP-API Amazon developer data security assessment. InfiPlex has also been approved as an Amazon Selling Partner Appstore application. As an approved Amazon App, we have passed all security requirements to pull and process PII Data.
InfiPlex Security Overview
User Logins | Amazon SP-API Security Review |
APN Application Review | PCI Scan
-
User Logins
- Password minimum requirements
- Device location security
- Device level security
- API limits – InfiPlex automatically monitors attempted logins and limits the number of attempts.
- OMS URLs are not posted or marketed, requiring users to know the URL and have a valid user name and password to access the OMS site.
Amazon SP-API Security Team Review
InfiPlex OMS has passed the SP-API Team's Developer Security Assessment. The most recent assessment was completed in April, 2025.
The Amazon SP-API Developer Security Assessment is similar to an SOC2 assessment, and in some cases has more detailed requirements as they include specific AWS reviews and requirements.
The Amazon Selling Partner API (SP-API) has stringent security requirements outlined in its Data Protection Policy (DPP) to ensure the protection of sensitive data, including Personally Identifiable Information (PII). Below is a comprehensive overview of the key security requirements for developers and integrators building SP-API applications. InfiPlex has passed all of these requirements.
General Security Requirements
These apply to all developers building SP-API applications:- Network Protection:
- Implement network firewalls and access control lists to deny unauthorized IP access.
- Use network segmentation to split networks into smaller sub-networks for better access control and security.
- Install antivirus and anti-malware software on all end-user devices with regular full system scans.
- Restrict public access to approved users only and provide data protection and IT security training for all personnel with system access.
- Access Management:
- Password Policy:
- Passwords must be at least 12 characters, include a mix of uppercase, lowercase, numbers, and special characters, and exclude any part of the user’s name.
- Set a minimum password age of 1 day and a maximum expiration of 365 days.
- Password complexity can be managed using tools like AWS Directory Service or Microsoft Active Directory Group Policies.
- Encryption:
- Encrypt all Amazon Information and customer PII both at rest and in transit using Amazon-approved algorithms (e.g., AES or RSA).
- Protect API keys provided by Amazon with encryption and restrict access to only necessary employees.
- Use secure credential stores like AWS Secrets Manager instead of hardcoding sensitive credentials (e.g., API keys, secret keys, or tokens) in source code or public repositories.
- Incident Response Plan:
- Develop and maintain a documented incident response plan that includes roles, responsibilities, incident types, response procedures, and an escalation path to Amazon.
- Notify Amazon within 24 hours of detecting a security incident via email to 3p-security@amazon.com.
- Review the plan every six months and after major infrastructure changes, documenting lessons learned and maintaining a chain of custody for evidence.
- Vulnerability Management:
- Conduct vulnerability scans at least semi-annually and penetration tests annually.
- Perform code vulnerability scans before releasing new code, features, or products.
- Use tools like Amazon Inspector or third-party solutions (e.g., Kali Linux, Nessus, Burp Suite) for vulnerability scanning and penetration testing.
- Ensure backups or snapshots are in place to restore PII access within hours in case of an incident.
Additional Security Requirements for Restricted Operations
These apply to developers handling PII for specific tax or seller-fulfilled shipping purposes:- Restricted Data Access:
- Data Governance and Retention:
- Enhanced Encryption and Logging:
- Architecture Review:
- Network Protection:
Amazon Partner Network Application Review
- The InfiPlex application has been fully vetted by Amazon to meet their SaaS requirements for applications.
- InfiPlex is an Amazon Technology Partner and our SaaS solution has passed Amazon’s Technical Baseline Review
APN Technical Baseline Review
> View Baseline Review Overview- Data Protection Policy & PII information
> View Policy - Acceptable Use Policy for applications give access to Amazon Marketplace APIs
> View Policy - Business Level Support - support with Amazon and immediate access to engineers
- CloudTrail Root Account Logging – logging of access to all root systems to ensure security and system integrity
- Identity and Access Management – controlling security access to administrators based on their roles and ensuring proper password encryption and limited access.
- Backups and Recovery – Regular back-ups of databases and instances
- Disaster Recover – Recovery Point Objective (RPO) and Recovery Time Objective (RTO) defined for all services
- Cross Account Access – limiting access of any Amazon seller’s data
- Personally Identifiable Information – PII data is encrypted in transit and deprecated 30 days after the order is shipped
-
Aperia PCI Scan Overview:
Aperia PCI Scan services are a comprehensive Payment Card Industry (PCI) Data Security Standard (DSS) compliance and validation platform, designed to help merchants, payment providers, and SAAS providers meet PCI requirements efficiently. The Aperia quarterly PCI Scan includes complete penetration testing through automated scans to identify all known exploits that affect the industry.
Network Security Scans:
As an Approved Scanning Vendor (ASV) certified by the PCI Security Standards Council, Aperia conducts non-intrusive scans to remotely review networks and web applications based on external-facing IP addresses. These scans identify vulnerabilities in operating systems, services, and devices that hackers could exploit, without requiring software installation or performing denial-of-service attacks.
Additional Features:
Their services integrate with solutions like the SAQ Wizard, internal vulnerability scanning, antivirus and endpoint protection, PAN scanning, mobile scanning, and keylogging prevention to fulfill specific PCI requirements.
