Security & Compliance

Bamboo Rank handles Amazon seller data on behalf of clients who have authorised us to manage their advertising. This page sets out, openly, the security controls that protect that data and the commitments we make to Amazon and to clients under the Amazon Data Protection Policy.

01Our security philosophy

Bamboo Rank operates a focused, specialist practice. Our security model is built around concentrated processing of Amazon seller data, not adapted from enterprise frameworks that assume a different operating shape. We process the minimum data needed to deliver the contracted advertising service. Amazon datasets, reports, and any buyer or order data are handled only on a managed workstation, with no cloud relay for that data and no third-party data pipeline. The authorisation handshake by which clients grant Bamboo Rank access uses a small, scoped serverless component on our own domain; this component handles only the OAuth flow itself and never holds Amazon datasets, reports, or buyer data. It is described in full in section 08. Other limited exceptions, Bamboo Rank's own operational records and a single client-owned analytics figure, are described in the same section and also involve no Amazon datasets, reports, or buyer data.

The principles below are not aspirational. They are operational commitments, reviewed every six months and enforced by the workflow tooling we build in-house.

02Headline commitments

The following commitments apply to all Amazon seller data accessed through the Selling Partner API and Advertising API. They reflect the requirements of the Amazon Data Protection Policy and our own internal standards.

• 24h Incident notification We notify Amazon at [email protected] within 24 hours of detecting any security incident affecting Amazon seller data, in line with the Data Protection Policy. Affected clients are informed in parallel.
• 7d Critical vulnerabilities Critical-risk vulnerabilities are remediated within 7 days of discovery. Patching cadence is enforced for the operating system, runtime, and all dependencies.
• 30d High-risk vulnerabilities High-risk vulnerabilities are remediated within 30 days of discovery, tracked through the internal vulnerability log.
• 12m Audit log retention Every API request to Amazon is recorded in structured audit logs, retained for at least 12 months and no longer than 18 months, in line with the Amazon Data Protection Policy.
• 0 Sub-processors for Amazon data Bamboo Rank transmits no Amazon datasets, reports, or buyer data to any third-party cloud service, analytics platform, or AI training pipeline. See section 08 for the full processing chain and the limited, scoped exceptions.

03Incident response plan

Bamboo Rank maintains a documented incident response plan, reviewed by the founder every six months. The plan covers preparation, identification, containment, eradication, recovery, and lessons-learned phases, with specific procedures for the most likely categories of incident: credential compromise, unauthorised access, data leak, and malicious code.

Notification timeline

In the event of a confirmed security incident affecting Amazon seller data, the following notification timeline applies:

• Immediate: kill switch activated to halt all Amazon API access; affected credentials rotated.
• Within 24 hours: Amazon notified at [email protected]. Affected clients informed.
• Within 72 hours: preliminary post-incident report drafted, including scope assessment and provisional root-cause findings.
• Within 30 days: full post-incident review completed, controls updated, plan revised where necessary.

Incident Management Point of Contact

As required by the Data Protection Policy, Bamboo Rank designates an Incident Management Point of Contact (IMPOC) responsible for receiving and coordinating responses to security communications. The current IMPOC is the founder, Obbin Amihere, reachable at [email protected]. This contact is monitored and acted upon within 24 hours.

04Encryption and credentials

Encryption at rest

The managed workstation runs full-disk encryption (Apple FileVault). All local copies of Amazon seller data, audit logs, and credential stores are encrypted at rest. Backups are encrypted and stored only on encrypted media under direct operator control.

Encryption in transit

All communications with Amazon APIs, Notion, Slack, and other authorised services use TLS 1.2 or higher. Plain-text communication is not used for any operational traffic.

Credential management

Per-client OAuth refresh tokens are obtained through a deliberate authorisation flow. The client clicks an authorisation action on a page hosted at bamboorank.com, signs in to their own Seller Central, and approves the access on Amazon's own consent screen. Bamboo Rank never sees the client's Amazon password. Amazon then redirects the client back to a small serverless component on our domain, which exchanges Amazon's short-lived authorisation code for a refresh token, verifies the token works against the region it was intended for, and only then accepts it. The verified refresh token is moved promptly into an encrypted credential store on the managed workstation; the brief transit copy in the serverless layer carries an expiry and is consumed by the workstation on retrieval. Tokens are never embedded in shared documents, never sent over email, and never logged in plain text. The Amazon-issued LWA client secret used to perform the token exchange is held in two controlled locations: the managed workstation and a scoped encrypted secret on the serverless layer that performs the exchange; it is never present in source code, in version control, or in any document. The LWA client secret follows Amazon's enforced 180-day rotation cycle. Per-client refresh tokens are rotated annually as required by Amazon's authorisation lifecycle, and immediately upon any suspected exposure.

05Access controls

Access to Amazon seller data is strictly limited and governed by the following standing controls, which apply regardless of whether the practice is operated by one person or a small team:

• Access granted only on the principle of least privilege, scoped to the specific engagement, and removed when no longer needed.
• Multi-factor authentication required on every account with Amazon API access.
• Account passwords generated by a password manager: a minimum of 16 characters, mixed character types, unique to each account, and never reused.
• Passwords rotated at least annually, with a minimum password age of one day.
• Account lockout after 10 unsuccessful authentication attempts.
• Password history retained for the last 10 passwords; reuse prohibited.
• Access for any departing personnel revoked within 24 hours.
• Quarterly review of all active access permissions.

06Audit logging and monitoring

Every interaction with Amazon's APIs is recorded in structured logs (JSON format), capturing the timestamp, the API operation, the parameters, the client account context, the response status, and any error condition. The logs are designed to support incident investigation and to demonstrate compliance during audit.

Logs are retained for at least 12 months, in line with the Amazon Data Protection Policy, and are not retained beyond 18 months as they contain no buyer personal data. Anti-tamper protections include append-only storage and periodic integrity checks.

07The kill switch

Macro Runner, our internal automation tooling, implements a kill switch that halts all Amazon API access immediately, both globally and on a per-client basis. The kill switch is checked before every Amazon API call. It exists for two reasons:

• To contain a suspected incident without waiting for credential rotation to complete.
• To pause activity during planned maintenance, credential rotation, or compliance review without risk of automated calls completing in the background.

The kill switch is implemented at the code level. It cannot be silently bypassed by any individual API call.

08Sub-processors and external services

Bamboo Rank does not transmit Amazon datasets, reports, or any buyer or order data to a sub-processor. The core processing chain for Amazon data is:

• Amazon SP-API and Ads API: source of the data, governed by Amazon's own policies.
• Bamboo Rank's managed workstation: sole processing location for Amazon datasets and reports, FileVault-encrypted.
• Amazon SP-API and Ads API: destination for any updates pushed back, such as bid changes or campaign edits.

No third party sits between these endpoints, and Amazon datasets, reports, and buyer data are never transmitted to a cloud database, an analytics service, an AI training pipeline, or any other downstream system. Three scoped exceptions, none of which involves Amazon datasets, reports, or buyer data, are disclosed here for transparency:

• Authorisation handshake (Cloudflare): client authorisations are initiated and received on small, scoped serverless components hosted at bamboorank.com. These components run on Cloudflare Pages Functions and handle the OAuth flow itself, generating the cryptographic challenge values, receiving Amazon's authorisation code, exchanging it for a refresh token, and verifying the token is valid for the region it was intended for. The Amazon-issued LWA client secret required for that exchange is held only as an encrypted environment variable scoped to these components; it is never visible to anyone with dashboard access, including Bamboo Rank, and is never written to logs or to any document. The short-lived authorisation code Amazon issues, the cryptographic challenge values, and the brief transit copy of a verified refresh token all have a defined expiry and are deleted on consumption. No Amazon datasets, reports, listings data, or buyer information ever passes through this layer; its sole purpose is the authorisation handshake.
• Document workspace (Notion): Bamboo Rank maintains its own operational records, logs of the bid changes it makes on client campaigns, and proprietary methodology parameters such as portfolio bid multipliers, in Notion. These are Bamboo Rank's own working records and methodology, not Amazon datasets, reports, listings data, or buyer information.
• Client-owned analytics (Scale Insights): for some clients, Bamboo Rank reads a single per-product profit-margin figure from Scale Insights as an input to bid optimisation. The figure is calculated by Scale Insights from the client's own Amazon sales data and cost inputs and is the client's business metric. The subscription is the client's own; the client links their own Amazon account and adds Bamboo Rank as a user. Bamboo Rank transmits no Amazon datasets, reports, or buyer data to Scale Insights.

Where other business operations require third-party services that touch only non-Amazon business data, accounting software, password managers, the Calendly booking platform, each is reviewed for its own compliance posture and bound by its own contractual confidentiality obligations.

09Vulnerability management

We maintain an ongoing vulnerability management process for the workstation, the operating system, and all software dependencies used in Macro Runner. Specific elements include:

• Automatic security updates enabled on macOS and on all critical applications.
• Dependency scanning on every commit to the Macro Runner codebase, using the package manager's standard advisory feed.
• Manual review of dependency advisories on a weekly cadence.
• Critical-risk findings remediated within 7 days; high-risk within 30 days.
• Anti-malware controls enabled and configured to prevent disablement.

Network and endpoint controls

The managed workstation runs the macOS application firewall with stealth mode enabled, on-demand anti-malware (Malwarebytes) alongside the always-on macOS Gatekeeper and XProtect protections, and a host-based outbound-connection monitor (LuLu) that alerts on unexpected network activity. Because Bamboo Rank processes Amazon data on a single dedicated device on a private network rather than across a multi-host network, controls are deliberately matched to that model: the dedicated workstation and private network perform the isolation role that network segmentation serves in a larger environment, with an encrypted VPN as additional defence-in-depth, in place of enterprise network-perimeter intrusion appliances designed for infrastructure Bamboo Rank does not operate.

10Risk assessment cadence

Bamboo Rank conducts a formal annual risk assessment covering:

• The threat landscape relevant to Amazon advertising service providers.
• The control framework against the latest version of the Amazon Data Protection Policy.
• Any changes to the operating environment, infrastructure, staffing, geography, third-party tooling.
• Any incidents or near-misses observed during the prior twelve months.

The assessment is documented and reviewed by the founder. Findings inform updates to this page, to the internal incident response plan, and to the working procedures of the agency.

11Data retention and deletion

Operational files retrieved during a workflow run, campaign data, listings reports, optimisation outputs, are deleted at the end of the run. Only the structured audit logs are retained, on the schedule described above.

When a client terminates the engagement, all client-specific operational data is deleted within 30 days. Audit logs, which contain no buyer personal data, are retained for at least 12 months and no longer than 18 months, in line with the Amazon Data Protection Policy.

12Reporting a security concern

If you believe you have identified a security issue affecting Bamboo Rank, our website, or Amazon seller data we handle, please write to [email protected]. We aim to provide a substantive response within 24 hours.

We welcome responsible disclosure. If you are a security researcher, please give us reasonable time to investigate and remediate before any public disclosure.