Trust Center
Enterprise Data Standards. Institutional-Grade Infrastructure.
Parcels & Plenty was architected from the ground up with data integrity, API compliance, and enterprise security as non-negotiable foundations. We do not scrape. We do not proxy. We do not resell raw marketplace data.
Platform in Private Beta
Parcels & Plenty is currently in private beta ahead of general availability. The security architecture, compliance programme, and infrastructure specifications documented here represent our committed design standards and active implementation roadmap. Items marked “in progress” or “submitted” are being actively pursued — not yet achieved.
SOC 2 Type II
In Progress
AWS ap-southeast-2
Sydney — planned infrastructure
SP-API Application
Submitted — under review
Privacy Act
Australian Privacy Principles
Amazon SP-API Compliance
Amazon Selling Partner API — Authorised Data Access Only
All marketplace data within the Parcels & Plenty platform is obtained exclusively through Amazon's official Selling Partner API (SP-API), in full compliance with Amazon's API Usage Plan, Data Protection Policy (DPP), and Acceptable Use Policy (AUP). Parcels & Plenty has submitted an SP-API developer application under the Amazon Developer Program.
Client data accessed via SP-API is scoped exclusively to that client's own Seller Central account credentials — authorised through Amazon's standard OAuth 2.0 flow with Login with Amazon (LWA). We never access, aggregate, or cross-reference SP-API data across different clients. Authorisation is role-scoped and may be revoked at any time directly from the client's Seller Central account without contacting Parcels & Plenty.
Our application is registered under the “Data analytics and business intelligence” use case classification. We do not use SP-API access for repricing, automated listing modification, or inventory management on behalf of clients.
Parcels & Plenty is designed to be complementary to Amazon's marketplace — helping sellers make smarter advertising investment decisions, maintain pricing integrity, and identify the right categories for sustainable growth. Better-informed sellers drive more sales and better customer outcomes on Amazon.
SP-API Specifications
- Application Type
- Data Analytics & Business Intelligence
- Authorisation Method
- Amazon OAuth 2.0 (Login with Amazon)
- Data Isolation
- Per-client — no cross-account data sharing
- Revocation
- Client-controlled via Seller Central at any time
- Data Retention
- Per Amazon DPP — purged on contract end + 90 days
- Access Review
- Will participate in Amazon's periodic access review programme upon approval
Data Security
Security Architecture | End-to-End Encryption | RBAC
Parcels & Plenty is pursuing SOC 2 Type II certification, with the Trust Services Criteria of Security, Availability, and Confidentiality as the target scope. Our security architecture is designed to meet these standards from day one of the platform's general availability launch.
Security Specifications
- Encryption at Rest
- AES-256 via AWS KMS — Customer Managed Keys on Enterprise
- Encryption in Transit
- TLS 1.3 enforced on all API endpoints and client sessions
- Authentication
- Role-Based Access Control (RBAC) + mandatory MFA for all users
- Penetration Testing
- Quarterly — certified independent testers (from general availability)
- Incident Response
- Target SLA: Critical 4-hour notification | High 24-hour (from general availability)
- Data Retention
- Contract term + 90 days. Hard-delete on written request.
- Audit Logs
- Immutable — 12-month retention (CloudTrail + S3)
Infrastructure
Built on AWS. Designed for Resilience.
Parcels & Plenty is designed to be deployed exclusively on Amazon Web Services, with primary infrastructure in the ap-southeast-2 (Sydney) region. All infrastructure will be defined as code (Terraform), ensuring every environment is version-controlled, auditable, and reproducible. Our target uptime SLA from general availability is 99.9% monthly.
Infrastructure Stack
- Compute
- AWS ECS (Fargate) — serverless container orchestration
- Database
- Amazon RDS PostgreSQL — Multi-AZ failover
- Data Warehouse
- Amazon Redshift — columnar storage for analytical workloads
- API Delivery
- AWS API Gateway + Lambda — scalable low-latency endpoints
- CDN
- Amazon CloudFront — sub-100ms global content delivery
- Monitoring
- Amazon CloudWatch + PagerDuty — 24/7 alerting
- Secrets
- AWS Secrets Manager — no credentials in code or env files
- Backups
- Automated daily snapshots — 35-day retention, tested quarterly (from general availability)
Privacy & Compliance
Australian Privacy Act & GDPR — Compliant by Default
Parcels & Plenty (ABN 13 507 003 216) is an Australian-operated business. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) as the primary regulatory framework for all personal data handling.
For clients operating in the European Economic Area or the United Kingdom, Parcels & Plenty provides a formal Data Processing Agreement (DPA) as a binding contractual addendum addressing GDPR Article 28 processor obligations. The DPA also aligns with Amazon's Data Protection Policy (DPP) for authorised SP-API application developers.
Enterprise clients receive a DPA as a standard contract component. Mid-market clients may request a DPA as a contractual addendum at no additional cost.
API Data Access — Endpoint Mapping
Exactly Which Data We Access and Why
Parcels & Plenty accesses two distinct Amazon API surfaces: the Selling Partner API (SP-API) for seller account data, and the Amazon Ads API for advertising performance data. The table below maps each platform feature to the precise API endpoint or report type used, the data fields accessed, and the stated purpose — aligned to Amazon's approved use case classification of “Data analytics and business intelligence.”
Platform Feature → API Endpoint Mapping
| Platform Feature | API | Endpoint / Report Type | Data Accessed |
|---|---|---|---|
| Share of Voice (Sponsored) | Amazon Ads API | Sponsored Products / Sponsored Brands — Targeting Report | Sponsored impression share, click share, spend by keyword, match type, and placement — scoped to client's own campaigns |
| Share of Search (Organic) | SP-API — Brand Analytics | GET_BRAND_ANALYTICS_SEARCH_TERMS_REPORT | Search frequency rank, click share, and conversion share by search term — weekly cadence, brand-registered sellers only |
| Pricing Strategy | SP-API — Reports API | GET_FLAT_FILE_ALL_ORDERS_DATA_BY_LAST_UPDATE_GENERAL | Order-level item price and promotion discount per ASIN — used to derive price history, promotion depth, and frequency patterns |
| Market Saturation Index | SP-API — Brand Analytics + Catalog Items API | GET_BRAND_ANALYTICS_SEARCH_TERMS_REPORT + getSearchCatalogItems | Search frequency signals (demand-side) and ASIN catalogue density and review velocity (publicly observable supply-side) |
| Advertising Forecasts | Amazon Ads API | Sponsored Products — Campaign Performance Report | Historical CPC, ACoS, impressions, clicks, and spend by keyword, match type, and placement — scoped to client's own account |
Data Access Constraints
- Scope
- Per-client only — no cross-account data access or aggregation
- Purpose
- Analytics and business intelligence — no automated listing changes, repricing, or inventory actions
- Brand Analytics
- Accessed only for brand-registered sellers who have granted explicit permission
- Ads API Scope
- Read-only reporting — no campaign creation, modification, or budget changes
- Raw Data
- Not resold, redistributed, or shared with any third party
Client Authorisation Flow
How Clients Connect Their Amazon Account
All Amazon account access is initiated and controlled by the client using Amazon's standard OAuth 2.0 authorisation flow (Login with Amazon). Parcels & Plenty never receives or stores Amazon account credentials. The client grants specific, scoped permissions and may revoke access at any time without contacting us.
Client registers on the Parcels & Plenty platform
Account created with business email. No Amazon credentials requested or stored at this stage.
Client navigates to Settings → Connect Amazon Account
The platform displays a clear summary of the permissions that will be requested before the authorisation flow begins.
Client is redirected to Amazon's Login with Amazon (LWA) authorisation page
The redirect is to Amazon's own secure domain. Parcels & Plenty never intermediates or proxies this step.
Client reviews and grants specific permissions on Amazon's page
Permissions are role-scoped to the data types required. The client can see exactly what is being granted before confirming.
Amazon redirects back to the platform with an authorisation code
Redirect URI: https://app.parcelsandplenty.com/auth/callback — HTTPS enforced, registered with Amazon Developer Console.
Platform exchanges the authorisation code for a refresh token
The refresh token is stored encrypted via AWS Secrets Manager (AES-256, Customer Managed Keys on Enterprise). It is never stored in application code, environment files, or logs.
Connection confirmed — authorised data sync begins
The platform displays the client's connected Seller ID and the list of active permission scopes. Data ingestion begins for authorised endpoints only.
Client can revoke access at any time — no contact required
Revocation path: Seller Central → Settings → Login with Amazon → Manage Your Apps → Revoke access for Parcels & Plenty. Revocation takes effect immediately and triggers data purge per our retention policy.
Authorisation Specifications
- Auth Protocol
- OAuth 2.0 — Login with Amazon (LWA)
- Redirect URI
- https://app.parcelsandplenty.com/auth/callback
- Token Storage
- AWS Secrets Manager — AES-256 encrypted, never in code or env files
- Credential Handling
- Amazon credentials never received, stored, or transmitted by Parcels & Plenty
- Permission Scope
- Role-scoped to contracted services — no excess permissions requested
- Revocation Effect
- Immediate — triggers data purge within 90 days per DPP
Security Enquiries
To report a security vulnerability or request our full security documentation package, contact our security team directly.
security@parcelsandplenty.com