Trust Center
Enterprise Data Standards. Institutional-Grade Infrastructure.
Parcel & Plenty was architected from the ground up with data integrity, API compliance, and enterprise security as non-negotiable foundations. We do not scrape. We do not proxy. We do not resell raw marketplace data.
SOC 2 Type II
Security & Availability
AWS ap-southeast-2
Sydney primary region
SP-API Authorised
Amazon Developer Program
Privacy Act
Australian Privacy Principles
Amazon SP-API Compliance
Amazon Selling Partner API — Authorised Data Access Only
All marketplace data within the Parcel & Plenty platform is obtained exclusively through Amazon's official Selling Partner API (SP-API), in full compliance with Amazon's API Usage Plan, Data Protection Policy (DPP), and Acceptable Use Policy (AUP). Parcel & Plenty maintains an active, reviewed SP-API application registration under the Amazon Developer Program.
Client data accessed via SP-API is scoped exclusively to that client's own Seller Central account credentials — authorised through Amazon's standard OAuth 2.0 flow with Login with Amazon (LWA). We never access, aggregate, or cross-reference SP-API data across different clients. Authorisation is role-scoped and may be revoked at any time directly from the client's Seller Central account without contacting Parcel & Plenty.
Our application is registered under the “Data analytics and business intelligence” use case classification. We do not use SP-API access for repricing, automated listing modification, or inventory management on behalf of clients.
SP-API Specifications
- Application Type
- Data Analytics & Business Intelligence
- Authorisation Method
- Amazon OAuth 2.0 (Login with Amazon)
- Data Isolation
- Per-client — no cross-account data sharing
- Revocation
- Client-controlled via Seller Central at any time
- Data Retention
- Per Amazon DPP — purged on contract end + 90 days
- Access Review
- Participating in Amazon's periodic access review programme
Data Security
SOC 2 Type II | End-to-End Encryption | RBAC
Parcel & Plenty is SOC 2 Type II compliant, with annual third-party audits covering the Trust Services Criteria of Security, Availability, and Confidentiality. Our security posture is reviewed and updated on an ongoing basis.
Security Specifications
- Encryption at Rest
- AES-256 via AWS KMS — Customer Managed Keys on Enterprise
- Encryption in Transit
- TLS 1.3 enforced on all API endpoints and client sessions
- Authentication
- Role-Based Access Control (RBAC) + mandatory MFA for all users
- Penetration Testing
- Quarterly — certified independent testers
- Incident Response
- Critical: 4-hour client notification | High: 24-hour
- Data Retention
- Contract term + 90 days. Hard-delete on written request.
- Audit Logs
- Immutable — 12-month retention (CloudTrail + S3)
Infrastructure
Built on AWS. Designed for Resilience.
Parcel & Plenty is deployed exclusively on Amazon Web Services, with primary infrastructure hosted in the ap-southeast-2 (Sydney) region. All infrastructure is defined as code (Terraform), ensuring every environment is version-controlled, auditable, and reproducible. We maintain a 99.9% monthly uptime SLA backed by financial service credits.
Infrastructure Stack
- Compute
- AWS ECS (Fargate) — serverless container orchestration
- Database
- Amazon RDS PostgreSQL — Multi-AZ failover
- Data Warehouse
- Amazon Redshift — columnar storage for analytical workloads
- API Delivery
- AWS API Gateway + Lambda — scalable low-latency endpoints
- CDN
- Amazon CloudFront — sub-100ms global content delivery
- Monitoring
- Amazon CloudWatch + PagerDuty — 24/7 alerting
- Secrets
- AWS Secrets Manager — no credentials in code or env files
- Backups
- Automated daily snapshots — 35-day retention, tested quarterly
Privacy & Compliance
Australian Privacy Act & GDPR — Compliant by Default
Parcel & Plenty is operated by Parcel & Plenty Pty Ltd, an Australian Proprietary Company. We comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) as the primary regulatory framework for all personal data handling.
For clients operating in the European Economic Area or the United Kingdom, Parcel & Plenty provides a formal Data Processing Agreement (DPA) as a binding contractual addendum addressing GDPR Article 28 processor obligations. The DPA also aligns with Amazon's Data Protection Policy (DPP) for authorised SP-API application developers.
Enterprise clients receive a DPA as a standard contract component. Mid-market clients may request a DPA as a contractual addendum at no additional cost.
Security Enquiries
To report a security vulnerability or request our full security documentation package, contact our security team directly.
security@parcelandplenty.com.au