Built for sellers, designed for Amazon's compliance bar.
Flip IQ Batch holds the minimum data needed to analyze your catalogs. We don't request order data, buyer data, or PII to do core analysis.
Data in transit
All traffic uses TLS 1.3. Uploads are signed and chunked; no file is processed before integrity is verified.
Data at rest
Files and results are encrypted at rest (AES-256). Per-tenant keys; isolated storage buckets per organization.
Credentials
API keys are hashed at rest and shown once at creation. Seller authorization tokens are stored in a managed secret vault — never on application servers.
Access control
Role-based access for Team plans. SSO available for Team and Enterprise. All actions are audit logged.
Data minimization
We don't ingest buyer PII, order data, or financial account details for core catalog analysis. SP-API access is read-only and scoped.
Retention & deletion
You control retention. Jobs and exports can be deleted at any time. Account deletion purges all customer data within 30 days.
The exact security posture, by the numbers.
These are the controls a reviewer would expect to see on a Solution Provider operating under Amazon's Data Protection Policy. We meet or exceed each one.
How we find problems and how fast we fix them.
Hardening is one half of the job. Catching what gets through, and reacting fast, is the other. These are the operational practices we run continuously, not just before reviews.
Vulnerability scanning
Automated scans at least monthly. Critical vulnerabilities are resolved within 7 days, high-risk within 30 — the SLAs Amazon's DPP defines.
Logging & audit trail
Centralized logs from every system that touches Amazon data, retained 12 months. Bi-weekly manual review plus real-time anomaly alerting.
Incident response plan
Documented, approved by senior management, reviewed every 6 months. Tabletop exercises run twice a year.
Access management
Least-privilege by default. Quarterly access review for every role and service account. Personnel access disabled within 24 hours of termination.
Third-party risk
Annual risk assessment for every sub-processor. DPAs in place with each. We cooperate with any audit Amazon or its agents may request.
Incident Management Point of Contact
Per Amazon's Data Protection Policy, we maintain a designated IMPOC reachable around the clock for security incidents involving Amazon data. Any incident is reported to Amazon within 24 hours of detection.
Inference, not training. Your data stays yours.
- →Opportunity scoring and explanations run as inference over your authorized data inside our infrastructure.
- →We do not train shared or proprietary models on Amazon-sourced data.
- →Amazon Information is never used to develop or improve AI systems, in line with the 25 November 2025 update to Amazon's Acceptable Use Policy.
- →We do not share or sell prompts, completions, or any model input/output containing your data with third parties.
What we don't do
- ×Scrape Amazon storefronts or buyer-side pages.
- ×Store buyer names, addresses, or order history.
- ×Resell or share your catalog data with third parties.
- ×Train shared models on your private supplier files.