Audit & Compliance

Data Border is built from the ground up for compliance with Amazon's SP-API requirements. Every operation is logged, attributed, and auditable.

What Gets Logged

PII Access Events

Every PII access is recorded with comprehensive context:

{
  "type": "pii_access",
  "timestamp": "2024-01-15T10:30:00.000Z",
  "orderId": "123-4567890-1234567",
  "sellerId": "seller_abc123",
  "tenantId": "tenant_xyz789",
  "action": "getPII",
  "success": true,
  "ip": "203.0.113.42",
  "userAgent": "WMS-Client/1.0",
  "accessCount": 1,
  "isBlocked": false
}

Security Events

Security-relevant operations are logged separately:

{
  "type": "security",
  "timestamp": "2024-01-15T10:30:05.000Z",
  "event": "rate_limit_exceeded",
  "ip": "203.0.113.42",
  "endpoint": "/api/pii/getPII",
  "orderId": "123-4567890-1234567",
  "sellerId": "seller_abc123"
}

Authentication Events

{
  "type": "authentication",
  "timestamp": "2024-01-15T10:29:55.000Z",
  "event": "token_validated",
  "tokenType": "seller_access",
  "sellerId": "seller_abc123",
  "tenantId": "tenant_xyz789",
  "ip": "203.0.113.42"
}

Label & Print Operations

{
  "type": "label_proxy",
  "timestamp": "2024-01-15T10:30:10.000Z",
  "amazonOrderId": "123-4567890-1234567",
  "shipmentId": "ship_def456",
  "carrier": "easypost",
  "sellerId": "seller_abc123",
  "tenantId": "tenant_xyz789",
  "documentsCreated": 1
}

{
  "type": "print",
  "timestamp": "2024-01-15T10:31:00.000Z",
  "shipmentId": "ship_def456",
  "printCount": 1,
  "isReprint": false,
  "printerType": "label",
  "printerId": "warehouse-zebra-1",
  "documentsCount": 1
}

Log Categories

All logs include a type field for filtering and SIEM integration:

Type	Description	Examples
`security`	WAF events, violations	Rate limits, blocked IPs
`authentication`	Auth operations	Token validation, OAuth
`amazon_api`	SP-API interactions	Token generation, API calls
`pii_access`	PII operations	Get/block/complete PII
`label_proxy`	Label generation	Carrier requests, scrubbing
`print`	Print operations	Device Hub jobs, reprints
`passthrough`	API proxy	SP-API passthrough requests
`configuration`	Config changes	Setting updates
`health_check`	System health	Database, storage checks
`system`	App lifecycle	Startup, shutdown

Data Attribution

Amazon requires that data retrieved from SP-API be attributed to its source. Data Border automatically tags all data:

{
  "data_source": "sp-api",
  "retrieved_at": "2024-01-15T10:30:00.000Z",
  "seller_id": "A1B2C3D4E5F6G7",
  "marketplace_id": "ATVPDKIKX0DER"
}

This attribution is:

Included in API responses where appropriate
Stored with labels and documents
Available in audit logs

Rate Limiting & Throttling

Data Border implements multiple layers of rate limiting:

Per-Order PII Limits

Limit	Value	Purpose
Access per hour	1	Prevent repeated fetching
After completion	Blocked	No access to shipped orders
After manual block	Blocked	Explicit access termination

Per-Tenant Limits

Limit	Value	Purpose
File operations/day	50	Prevent bulk file extraction
Label requests	Carrier limits	Respect carrier rate limits

Per-IP Limits

Endpoint	Limit	Window
`/auth/*`	5 requests	10 seconds
General API	Adaptive	Based on patterns

WAF Protection (Arcjet)

When enabled, Arcjet provides:

SQL injection protection
XSS attack prevention
Request signature validation
Geographic blocking (if configured)

Suspicious Activity Detection

Data Border monitors for and alerts on unusual patterns:

Automatic Detection

Shipped order access: Attempting to access PII for orders already marked shipped
Bulk access patterns: Unusually high volume of PII requests
Off-hours access: Access outside normal business patterns
Geographic anomalies: Requests from unexpected locations
Failed authentication spikes: Potential credential attacks

Alerting

Suspicious activity generates:

Log entries with type: "security"
Optional webhook notifications
Dashboard alerts (if SIEM integrated)

Compliance Reports

PII Access Report

Query all PII access for a time period:

# Example: Query logs in your SIEM
type:pii_access AND timestamp:[2024-01-01 TO 2024-01-31]

Fields available:

orderId - Which order
sellerId - Which seller
tenantId - Which WMS
action - What was done
success - Whether it succeeded
ip - Source IP
timestamp - When

Print Audit Report

Track label printing:

type:print AND sellerId:seller_abc123

Fields available:

shipmentId - Which shipment
printCount - How many times
isReprint - Was it a reprint
printerType - Label or laser
printerId - Which printer

Integration with Logging Systems

BetterStack

Data Border logs integrate with BetterStack (or similar) via Fly.io log shipping:

# Deploy log shipper (one-time setup)
cd log-shipper
fly launch --org your-org --no-deploy
fly secrets set BETTER_STACK_SOURCE_TOKEN="your_token"
fly deploy --ha=false

Generic SIEM Integration

All logs are:

JSON formatted
Include consistent fields (type, timestamp, tenantId, sellerId)
Streamable to any log aggregator

Retention & Cleanup

What's Retained

Data Type	Retention	Notes
PII access logs	Configurable	Required for compliance
Security events	Configurable	Critical for audits
Labels/documents	Until deleted	Stored in S3
Amazon tokens	Until revoked	Encrypted at rest

What's NOT Retained

Customer PII (fetched on-demand)
Amazon access tokens (generated per-request)
Request/response bodies (only metadata logged)

Compliance Checklist

Use this checklist for Amazon compliance reviews:

PII Access Controls

All PII access logged with order ID
Access blocked after order completion
Rate limiting prevents bulk extraction
Manual blocking available

Data Security

Amazon tokens encrypted at rest (AES-256-GCM)
TLS for all communications
WAF protection available
IP-based rate limiting

Audit Trail

Complete PII access history
Security event logging
Print/reprint tracking
Data attribution

Data Minimization

PII fetched on-demand only
Scrubbed responses to WMS
Labels stored securely, printed directly
No unnecessary PII retention

Next Steps

Security Deep Dive

Understand Data Border's encryption and security architecture.

API Reference

Complete API documentation.