Security

Security at AIAdKing

Seller and marketplace data is among the most sensitive in e-commerce. Here is exactly how we protect it.

Last updated: May 13, 2026

TLS 1.2+

Encrypted in transit

AES-256

Encrypted at rest

OAuth only

No password collection

≤ 30 days

PII retention limit

1. Encryption

All traffic between sellers, our application and marketplace APIs (including SP-API) is encrypted using TLS 1.2 or higher. HSTS is enforced. Data at rest — OAuth refresh tokens, seller PII and order data — is encrypted with AES-256. Database backups are encrypted with separate keys.

2. Credential and token handling

AIAdKing never collects or stores marketplace passwords. Authorisation uses the official OAuth flow (Login with Amazon for SP-API). Refresh tokens are encrypted at the application layer before they reach the database. Access tokens are short-lived, scoped per-seller, never logged, and rotated automatically.

3. Access control

  • Least privilege: Engineers get production access only when required, time-boxed, audited and revoked automatically.
  • MFA is enforced on all internal accounts.
  • RBAC separates seller-data access from platform administration.
  • Audit logs capture every administrative action and every API call against seller data.

4. Data minimisation and retention

We request only the SP-API scopes required for features the seller has enabled. We do not retain PII longer than 30 days after fulfilment unless required for tax or legal reasons. Sellers can request deletion of all their data at any time via privacy@aiadking.com; deletion is completed within 30 days.

5. Amazon Data Protection Policy compliance

  • PII obtained from SP-API is used only to fulfil orders or as required by law.
  • PII is never shared with third parties (other than sub-processors strictly necessary for service operation).
  • PII is never used for direct marketing to buyers.
  • PII is encrypted in transit and at rest.
  • Access to PII is restricted, logged and reviewed quarterly.

6. Infrastructure

AIAdKing is hosted on hardened cloud infrastructure with private networking between application servers and databases. Public endpoints sit behind a web application firewall. Vulnerability scanning runs continuously; dependencies are patched on a defined SLA.

7. Incident response

We maintain a written Incident Response Plan. Any confirmed incident affecting Amazon Information will be reported to Amazon at security@amazon.com within 24 hours, and to affected sellers without undue delay.

8. Sub-processors

We use a small, vetted list of sub-processors (cloud hosting, transactional email, error monitoring). The current list is available in our DPA on request.

9. Reporting a security issue

Found something? Email security@aiadking.com. We acknowledge reports within one business day.