Least privilege
Access is limited to the data needed for the enabled workflow and the assigned user role. SP-API roles are requested per workflow, not as a bundle.
Security
Controls for seller-authorized operating data.
NotERP uses least privilege, data minimization, access controls, encryption, audit logging, and incident response practices to protect seller data — including Brand Analytics reports authorized through SP-API.
Encryption
Seller data is encrypted in transit. Sensitive credentials (OAuth tokens, refresh tokens, API secrets) are stored using managed secret stores and access-scoped service accounts.
Auditability
Governed actions record evidence, requester, approver, idempotency key, execution status, external response, and outcome review for finance and operations audit.
Incident response
Security incidents are triaged, contained, investigated, and communicated to affected customers according to documented response procedures.
Data minimization
Decision and analytics workflows operate on seller-authorized business evidence and never read buyer PII. In this release buyer PII does not enter NotERP at all — the service works only on the seller’s own business data. Brand Analytics is aggregated and anonymized at source. Detail in the Privacy Policy.
Vendor boundary
We do not sell seller data and do not share Amazon Information between sellers. All Amazon Information is retrieved directly from Amazon (SP-API and the Ads API) under seller authorization — there are no non-Amazon data sources. External processing is limited to the infrastructure subprocessors (cloud hosting, managed database, error monitoring) required to operate the service, each bound to use the data only on NotERP’s instructions. Detail in the Privacy Policy.
Security contact
Report a security issue.
Email security reports to security@noterp.ai.
Please include the affected account or tenant, suspected impact, timestamps, and steps to reproduce when available. We acknowledge security reports within one business day.