Security

How we protect your data.

Security is foundational to how itervai operates. Our systems are designed to meet the requirements of the Amazon Services API Data Protection Policy and to exceed baseline expectations for data handling, access control, and incident response.

Infrastructure

All data is processed and stored within Amazon Web Services (AWS) infrastructure in the United States. We do not use third-party sub-processors for handling, processing, or storing Amazon seller or buyer data.

Our infrastructure is provisioned using infrastructure-as-code with version-controlled configurations. Changes to production infrastructure require review and approval before deployment.

Data Encryption

Encryption at Rest

All data is encrypted using AES-256. Personally Identifiable Information receives additional application-level encryption (AES-256-GCM) before database storage.

Encryption in Transit

All data transmitted between systems — including API calls, database connections, and client-facing interfaces — uses TLS 1.2 or higher.

Key Management

Encryption keys are managed through AWS Key Management Service (KMS) with automatic annual rotation. Access to keys is restricted by IAM policies with least-privilege enforcement.

Backup & Recovery

Encrypted database backups are stored in a geographically separate AWS region for disaster recovery. Backup integrity is verified regularly.

Access Controls

  • All personnel with access to production systems use unique identities with Multi-Factor Authentication (MFA) enforced
  • Access follows the principle of least privilege and is granted through role-based access control (RBAC)
  • Access is reviewed quarterly and revoked immediately upon role change or termination
  • Production data is accessible only through company-managed systems — personal devices cannot access customer or Amazon data
  • Administrative access to infrastructure requires separate credentials with additional MFA verification

Data Retention

  • Amazon buyer PII: Deleted within 30 days of order delivery. Retained only for tax invoice generation and sales tax calculation.
  • Non-PII Amazon data: Retained for the duration of the seller’s active authorization. Deleted within 30 days of authorization revocation or contract termination.
  • Account information: Retained for the duration of the active account. Deleted within 30 days of account closure, except where retention is required by law.

All data disposal uses secure deletion methods that render data unrecoverable.

Amazon Buyer PII: We never use buyer PII for marketing, advertising, buyer profiling, or any purpose beyond statutory tax compliance. Buyer PII is never aggregated across sellers or shared with third parties.

Incident Response

In the event of a security incident involving customer or Amazon data:

  • Amazon is notified at security@amazon.com within 24 hours of detection
  • Affected clients are notified promptly with details about the nature and scope of the incident
  • Our incident response plan includes containment, investigation, remediation, and prevention procedures
  • The incident response plan is reviewed and tested regularly

Compliance

itervai complies with the Amazon Services API Data Protection Policy, the Acceptable Use Policy, and the Amazon Services API Solution Provider Agreement. Our practices include:

  • PII retention limited to 30 days after order delivery
  • Encryption of all PII at rest (AES-256) and in transit (TLS 1.2+)
  • No use of Amazon data for AI/ML model training
  • No sharing of Amazon data with third parties
  • 24-hour incident notification to Amazon
  • Quarterly access reviews and periodic penetration testing

Contact

To report a security concern or request information about our security practices:

Email: security@itervai.com