Pricelyzerv0 · 2026
Sign up
Legal
LEGAL

Security

Last updated: May 18, 2026

Overview

Pricelyzer is built for Amazon sellers who trust it with their SP-API credentials, sourcing data, and billing information. This page describes the technical and organisational controls we use to protect that data. We update this page as infrastructure changes. For any vulnerability reports or questions, contact security@pricelyzer.app.

1. Encryption in transit

All data transmitted between your browser, the Pricelyzer extension, and Pricelyzer infrastructure is encrypted using TLS 1.2 or higher, with modern cipher suites. TLS termination is handled by our CDN/edge layer and our managed database provider. TLS certificates are managed via automated renewal. We plan to enable HSTS preload on the public domain before public launch.

2. Encryption at rest

Customer data stored in Pricelyzer's managed Postgres database is encrypted at rest using AES-256 at the storage layer, as provided by our database vendor (Supabase). SP-API access tokens and refresh tokens are stored in a dedicated database column distinct from application data and are never written to application logs. We are evaluating column-level encryption with a dedicated secrets manager (Doppler) for SP-API credentials before public launch.

3. SP-API credential security

  • Read-only scopes only. Pricelyzer's SP-API integration requests the minimum scopes required for each tool. We never request write access to listings, pricing, orders, or customer data beyond what you explicitly enable.
  • Isolated storage. SP-API tokens are stored in an access-controlled column of our managed database, never written to application logs, and never exposed to client-side code.
  • Revocation. You can revoke Pricelyzer's SP-API access at any time from Seller Central → Apps & Services → Manage Your Apps → Pricelyzer → Disconnect. Revocation propagates to Pricelyzer's systems within 24 hours.
  • Deletion on cancellation. SP-API tokens are invalidated immediately upon account cancellation. Cached SP-API data is deleted within 30 days.

4. Access controls

  • Least privilege. Production system access is restricted to Pricelyzer engineering personnel on a need-to-know basis.
  • Audit logging. Administrative changes to production infrastructure are logged via our hosting and database providers' native audit trails.
  • Credential hygiene. We rotate production credentials whenever team membership changes and at least once per year. We are migrating production secrets to a dedicated secrets manager (Doppler) before public launch; multi-factor authentication on privileged tooling (cloud, database, payments) is enforced for all current personnel.

5. Infrastructure

  • Application hosting. Pricelyzer runs on dedicated cloud compute provided by Hetzner Cloud (Ashburn, Virginia, USA). Hetzner is ISO/IEC 27001 certified.
  • Database. Application data is stored in a managed Postgres instance provided by Supabase (Canada Central region, Montreal, Canada). Supabase is SOC 2 Type II certified.
  • Network segmentation. Customer databases are accessed through a managed connection pooler. Application servers connect over an encrypted Postgres protocol; the database is not exposed to the public internet for general queries.
  • DDoS & WAF. Before public launch, all public endpoints will sit behind Cloudflare for DDoS mitigation and Web Application Firewall rules. Until then, public access is limited to invited beta testers.
  • Dependency management. Application dependencies are scanned regularly using language-native vulnerability tooling (npm audit, pip-audit). We aim to remediate Critical-severity advisories within 48 hours of public disclosure.

6. Application security

  • OWASP awareness. Pricelyzer's codebase is written against the OWASP Top 10 with parameterised queries, input validation, and framework-provided output encoding (React).
  • Rate limiting. Backend API endpoints are rate-limited per IP to mitigate credential stuffing, enumeration, and abuse.
  • Cookies. Authentication session cookies are HTTP-only, Secure (in production), and use the SameSite attribute to mitigate CSRF. We are migrating to SameSite=Strict with explicit CSRF tokens on state-changing requests before public launch.
  • Content Security Policy. We are deploying a strict Content Security Policy header before public launch; until then, the application is served behind invite-only access.

7. Security monitoring and incident response

  • Monitoring. Backend and database events are logged centrally. Before public launch we will integrate application error monitoring (Sentry) for both the cockpit and the API.
  • Incident response. We maintain a documented incident response procedure. In the event of a confirmed personal-data breach, we will notify affected customers without undue delay and no later than 72 hours after confirmation, in line with GDPR Article 33.
  • Breach disclosure. Notifications will include the nature of the incident, data categories affected, and remediation steps taken.

8. Compliance posture

  • Vendor certifications. Our primary infrastructure vendors (Hetzner, Supabase, Stripe, Cloudflare) maintain industry security certifications applicable to their services. We are happy to share the most recent attestations on request.
  • Pricelyzer certifications. Pricelyzer itself is not currently certified to SOC 2 or ISO 27001. We may pursue SOC 2 Type II once Enterprise customer demand justifies it; we will not represent Pricelyzer as certified or "in audit" until a real engagement is in progress.
  • Penetration testing. We plan to commission an external penetration test before crossing meaningful user scale. We will publish a summary attestation when that test is complete.
  • Amazon SP-API. Pricelyzer's use of SP-API data is governed by Amazon's Selling Partner API Developer Agreement and Data Protection Policy. We undergo Amazon's developer vetting process and periodic reviews.

9. Business continuity

Application data is hosted on a managed Postgres service (Supabase Pro tier) with automated daily backups and point-in-time recovery within the provider's retention window. We aim for a Recovery Time Objective (RTO) of under 4 hours and a Recovery Point Objective (RPO) of under 24 hours for core services.

10. Responsible disclosure

We welcome security researchers who responsibly disclose vulnerabilities. If you discover a potential security issue, please email security@pricelyzer.app with a description of the issue and steps to reproduce. We will acknowledge your report within 48 hours and work to resolve confirmed vulnerabilities promptly. We do not currently operate a paid bug bounty program, but we credit researchers in our security advisories with their consent.

Please do not attempt to access, modify, or destroy data belonging to other users. Testing should be limited to your own Pricelyzer account.

Contact

Security inquiries and vulnerability reports: security@pricelyzer.app
General privacy and data inquiries: privacy@pricelyzer.app

legal · pricelyzer.app