Security at Every Layer
Data Border is built on defense-in-depth principles — from hardware-isolated virtual machines and encrypted networking to AES-256-GCM token encryption and per-request audit trails. Security is not a feature we added. It is the architecture.
Hosted on Audited, Hardened Infrastructure
Data Border runs on a major cloud platform with SOC 2 Type II certification, HIPAA readiness, and security practices designed for the most sensitive workloads. Your data is protected by the same class of infrastructure trusted by healthcare and financial services organizations.
SOC 2 Type II Audited
Our hosting infrastructure is independently audited against SOC 2 Type II controls for security, availability, and confidentiality. Documented controls are regularly reviewed and verified by third-party auditors.
Firecracker Micro-VM Isolation
Every Data Border instance runs inside its own Firecracker virtual machine — the same open-source hypervisor developed at AWS that powers Lambda and Fargate. Full hardware-level isolation, not shared containers.
LUKS Encrypted Volumes
All persistent storage is block-level encrypted using Linux LUKS with AES-XTS. Encryption keys are managed by the platform and are only accessible to processes running on the host assigned to your instance.
WireGuard Mesh Networking
All internal platform communication travels over a WireGuard mesh using 256-bit ChaCha20-Poly1305 encryption with Curve25519 key exchange. Your data is encrypted at every hop.
Default-Deny Networking
Nothing is exposed unless explicitly configured. Internal services communicate over a private IPv6 network that is completely invisible to the public internet. No security group rules to misconfigure.
DDoS Mitigation
Upstream traffic providers perform automated and manual DDoS mitigation including blackhole routing and traffic scrubbing. Your instance is protected before malicious traffic ever arrives.
Application-Level Security Controls
Beyond infrastructure, Data Border implements strict application-level controls purpose-built for protecting Amazon marketplace data.
AES-256-GCM Token Encryption
Amazon refresh tokens are encrypted at rest using AES-256-GCM with SCRYPT key derivation. Each seller's tokens are encrypted with a unique client-provided secret that Data Border never stores.
TLS 1.3 Exclusively
All API traffic is encrypted with TLS 1.3. No support for legacy protocols. Certificates are automatically provisioned and renewed via LetsEncrypt. HSTS headers enforce HTTPS-only access.
Web Application Firewall
ML-powered WAF provides bot detection, credential stuffing prevention, IP reputation scoring, and adaptive rate limiting. Suspicious request patterns are blocked before they reach application code.
Multi-Layer Authentication
Four authentication layers protect Amazon data: JWT tokens, Data Border access tokens, seller access tokens, and the amazonTokenSecret. All four are required before any Amazon data is accessible.
Comprehensive Audit Logging
Every PII access is logged with order ID, seller ID, tenant ID, IP address, user agent, and timestamp. Structured JSON logs integrate with any SIEM platform for compliance reporting.
Intelligent Rate Limiting
Per-order, per-tenant, and per-IP throttling prevents bulk data extraction. PII access is limited to once per hour per order. Suspicious patterns like accessing shipped orders trigger alerts.
Data Protection Details
Concrete encryption standards for your security questionnaires and compliance reviews.
At Rest
- Volumes encrypted with LUKS / AES-XTS
- Object storage with server-side encryption
- Amazon tokens encrypted with AES-256-GCM
- SCRYPT key derivation (memory-hard, brute-force resistant)
In Transit
- TLS 1.3 for all external API traffic
- WireGuard (ChaCha20-Poly1305) for all internal traffic
- Certificate validation on all upstream connections
- HSTS enforcement prevents protocol downgrade
By Design
- amazonTokenSecret never stored — Data Border cannot decrypt tokens without it
- Customer PII fetched on-demand from Amazon, never persisted
- Labels stored encrypted, delivered direct to printers
- Scrubbed responses ensure your WMS never sees customer addresses
Built for Compliance
Data Border is designed to satisfy the requirements your auditors and partners will ask about.
Amazon Data Protection Policy
Fully aligned with Amazon's SP-API Data Protection Policy. Built-in PII audit trails, data attribution, rate limiting, and suspicious activity detection meet all DPP requirements.
SOC 2 Type II Infrastructure
Hosted on independently audited infrastructure with documented controls for security, availability, processing integrity, confidentiality, and privacy.
HIPAA-Ready Platform
Our infrastructure provider supports HIPAA-compliant workloads and signs Business Associate Agreements (BAAs). Healthcare-grade security controls are standard, not optional.
Vulnerability Remediation SLAs
Critical vulnerabilities patched within 24 hours. High severity within 1 week. Medium within 1 month. Automated dependency scanning and continuous security monitoring.
Security Questions?
If you have specific security or compliance questions, we're happy to discuss our architecture in detail. Contact us to learn more.