Bamboo Rank handles Amazon seller data on behalf of clients who have authorised us to manage their advertising. This page sets out, openly, the security controls that protect that data and the commitments we make to Amazon and to clients under the Amazon Data Protection Policy.
01Our security philosophy
Bamboo Rank operates a focused, specialist practice. Our security model is built around concentrated processing of Amazon seller data, not adapted from enterprise frameworks that assume a different operating shape. We process the minimum data needed to deliver the contracted advertising service, on a managed workstation, with no cloud relay, no shared storage, and no third-party data pipelines.
The principles below are not aspirational. They are operational commitments, reviewed every six months and enforced by the workflow tooling we build in-house.
02Headline commitments
The following commitments apply to all Amazon seller data accessed through the Selling Partner API and Advertising API. They reflect the requirements of the Amazon Data Protection Policy and our own internal standards.
- 24h Incident notification We notify Amazon at security@amazon.com within 24 hours of detecting any security incident affecting Amazon seller data, in line with the Data Protection Policy. Affected clients are informed in parallel.
- 7d Critical vulnerabilities Critical-risk vulnerabilities are remediated within 7 days of discovery. Patching cadence is enforced for the operating system, runtime, and all dependencies.
- 30d High-risk vulnerabilities High-risk vulnerabilities are remediated within 30 days of discovery, tracked through the internal vulnerability log.
- 90d Audit log retention Every API request to Amazon is recorded in structured audit logs, retained for at least 90 days and longer where compliance requires.
- 0 Sub-processors for Amazon data No third-party cloud service, analytics platform, or AI training pipeline receives Amazon seller data. Processing happens entirely on the managed workstation.
03Incident response plan
Bamboo Rank maintains a documented incident response plan, reviewed by the founder every six months. The plan covers preparation, identification, containment, eradication, recovery, and lessons-learned phases, with specific procedures for the most likely categories of incident: credential compromise, unauthorised access, data leak, and malicious code.
Notification timeline
In the event of a confirmed security incident affecting Amazon seller data, the following notification timeline applies:
- Immediate: kill switch activated to halt all Amazon API access; affected credentials rotated.
- Within 24 hours: Amazon notified at security@amazon.com. Affected clients informed.
- Within 72 hours: preliminary post-incident report drafted, including scope assessment and provisional root-cause findings.
- Within 30 days: full post-incident review completed, controls updated, plan revised where necessary.
Incident Management Point of Contact
As required by the Data Protection Policy, Bamboo Rank designates an Incident Management Point of Contact (IMPOC) responsible for receiving and coordinating responses to security communications. The current IMPOC is the founder, Obbin Amihere, reachable at security@bamboorank.com. This contact is monitored and acted upon within 24 hours.
04Encryption and credentials
Encryption at rest
The managed workstation runs full-disk encryption (Apple FileVault). All local copies of Amazon seller data, audit logs, and credential stores are encrypted at rest. Backups are encrypted and stored only on encrypted media under direct operator control.
Encryption in transit
All communications with Amazon APIs, Notion, Slack, and other authorised services use TLS 1.2 or higher. Plain-text communication is not used for any operational traffic.
Credential management
Per-client OAuth refresh tokens are issued individually through Amazon's "Manage Your Apps" flow in Seller Central. Tokens are stored in an encrypted credential store outside source control, never embedded in shared documents, never sent over email, and never logged in plain text. Credentials are rotated on a regular cadence and immediately upon any suspected exposure.
05Access controls
Access to Amazon seller data is strictly limited and governed by the following standing controls, which apply regardless of whether the practice is operated by one person or a small team:
- Access granted only on the principle of least privilege, scoped to the specific engagement, and removed when no longer needed.
- Multi-factor authentication required on every account with Amazon API access.
- Account lockout after 10 unsuccessful authentication attempts.
- Password history retained for the last 10 passwords; reuse prohibited.
- Access for any departing personnel revoked within 24 hours.
- Quarterly review of all active access permissions.
06Audit logging and monitoring
Every interaction with Amazon's APIs is recorded in structured logs (JSON format), capturing the timestamp, the API operation, the parameters, the client account context, the response status, and any error condition. The logs are designed to support incident investigation and to demonstrate compliance during audit.
Logs are retained for a minimum of 90 days, and longer where compliance, legal, or insurance considerations require. Anti-tamper protections include append-only storage and periodic integrity checks.
07The kill switch
Macro Runner, our internal automation tooling, implements a kill switch that halts all Amazon API access immediately, both globally and on a per-client basis. The kill switch is checked before every Amazon API call. It exists for two reasons:
- To contain a suspected incident without waiting for credential rotation to complete.
- To pause activity during planned maintenance, credential rotation, or compliance review without risk of automated calls completing in the background.
The kill switch is implemented at the code level. It cannot be silently bypassed by any individual API call.
08Sub-processors
Bamboo Rank does not transfer Amazon seller data to any sub-processor. The end-to-end processing chain is:
- Amazon SP-API and Ads API: source of the data, governed by Amazon's own policies.
- Bamboo Rank's managed workstation: sole processing location, FileVault-encrypted.
- Amazon SP-API and Ads API: destination for any updates pushed back, such as bid changes or campaign edits.
No third party sits between these endpoints. Amazon seller data is never transmitted to a cloud database, an analytics service, an AI training pipeline, or any other downstream system. Where business operations require third-party services that incidentally touch non-Amazon business data, accounting software, password managers, the Calendly booking platform, each is reviewed for its own compliance posture and bound by its own contractual confidentiality obligations.
09Vulnerability management
We maintain an ongoing vulnerability management process for the workstation, the operating system, and all software dependencies used in Macro Runner. Specific elements include:
- Automatic security updates enabled on macOS and on all critical applications.
- Dependency scanning on every commit to the Macro Runner codebase, using the package manager's standard advisory feed.
- Manual review of dependency advisories on a weekly cadence.
- Critical-risk findings remediated within 7 days; high-risk within 30 days.
- Anti-malware controls enabled and configured to prevent disablement.
10Risk assessment cadence
Bamboo Rank conducts a formal annual risk assessment covering:
- The threat landscape relevant to Amazon advertising service providers.
- The control framework against the latest version of the Amazon Data Protection Policy.
- Any changes to the operating environment, infrastructure, staffing, geography, third-party tooling.
- Any incidents or near-misses observed during the prior twelve months.
The assessment is documented and reviewed by the founder. Findings inform updates to this page, to the internal incident response plan, and to the working procedures of the agency.
11Data retention and deletion
Operational files retrieved during a workflow run, campaign data, listings reports, optimisation outputs, are deleted at the end of the run. Only the structured audit logs are retained, on the schedule described above.
When a client terminates the engagement, all client-specific operational data is deleted within 30 days. Audit logs may be retained for the longer of 12 months or the period required by applicable law and regulation, in line with the Amazon Solution Provider Agreement record-keeping clause.
12Reporting a security concern
If you believe you have identified a security issue affecting Bamboo Rank, our website, or Amazon seller data we handle, please write to security@bamboorank.com. We aim to provide a substantive response within 24 hours.
We welcome responsible disclosure. If you are a security researcher, please give us reasonable time to investigate and remediate before any public disclosure.
This page describes the controls Bamboo Rank operates as a service provider under the Amazon Data Protection Policy. It is not a substitute for our Privacy Policy, which addresses how we handle personal data more broadly, or for the Solution Provider Agreement, which is the contractual instrument between Bamboo Rank and Amazon.