Security

Our Security Commitment

Peaklyst handles sensitive commercial data on behalf of Amazon sellers — listing content, listing attributes, and category requirements. We treat this data with the same seriousness as our own. This page describes the controls we have in place to keep your data secure, the standards our infrastructure meets, and how to report a security issue.

Infrastructure Security

Peaklyst runs on a dedicated, multi-cluster Kubernetes platform operated by our parent company tupevo S.àr.l.-S. Production workloads are isolated from development and staging environments on separate physical clusters. Every container runs as a non-root user with a read-only root filesystem, all Linux capabilities dropped, and the default seccomp profile enforced.

Base images for production services are distroless — they contain no shell, package manager, or auxiliary system utilities. This dramatically reduces the attack surface available to a compromised dependency. All container images are continuously scanned for known vulnerabilities (Trivy) and CI blocks any build that introduces a CRITICAL or HIGH severity CVE.

Encryption

All data in transit is encrypted with TLS 1.3. Internal service-to-service traffic inside our Kubernetes clusters is also encrypted via Cilium-managed mutual TLS. Data at rest is encrypted with AES-256 on every storage volume and in every managed database.

Database backups are encrypted, stored in a separate region from the primary database, and retained for a rolling window. Backup restore drills are performed regularly to verify recoverability.

Tenant Isolation

Customer data is isolated at the database layer through PostgreSQL row-level security (RLS) policies. Every query issued by the application is scoped to the authenticated tenant automatically, so no customer can read or modify another customer's data — even if an application-level bug were to accidentally request it.

Amazon marketplace data in particular is strictly segregated per seller account. Under no circumstances is one customer's listing or keyword data visible to another customer, nor is it used to train models or improve results for other accounts.

Authentication and Access Control

Customer accounts authenticate via email and password with optional two-factor authentication (2FA) using TOTP. Password hashes use bcrypt with a per-user salt. Session tokens are short-lived and bound to the originating device fingerprint.

Amazon Seller integration uses the official Selling Partner API (SP-API) OAuth flow. Peaklyst never stores your Amazon password. The refresh tokens we receive from Amazon are encrypted with an application-layer key before being written to our database.

Internal administrative access is restricted to named engineers on the security team. All administrative actions on production data are logged to an append-only audit trail. Access is granted on a least-privilege basis and reviewed quarterly.

Network Security

Production services communicate over private cluster networks; no database, cache, or internal service is reachable from the public internet. External access is only possible via Cloudflare Tunnels, which provide DDoS protection, WAF filtering, and bot mitigation before any request reaches our ingress gateway.

Cilium NetworkPolicies enforce default-deny ingress on every production namespace — services may only reach the specific peers they have been explicitly authorized to talk to. All inter-cluster traffic is encrypted.

Secrets Management

Credentials, API keys, and signing keys are never stored in source code, container images, or environment configuration files. All secrets live in an encrypted OpenBao vault and are delivered to workloads at runtime by the External Secrets Operator. Secrets rotate automatically and every access is logged.

Supply Chain Security

Third-party dependencies are verified at build time (go mod verify for Go, npm ci --ignore-scripts for Node) and install-time code execution is disabled. Container images are built exclusively in our CI pipeline from signed commits on the main branch — no image is ever pushed manually to our registry. GitHub Actions are pinned to commit SHAs rather than tags to defend against tag hijacking.

Amazon Data Protection Policy

As a Selling Partner API developer, Peaklyst complies with Amazon's Data Protection Policy (DPP). We do not request, store, or process Amazon buyer Personally Identifiable Information (PII). Our SP-API authorization is limited to the Product Listing role (non-restricted) and does not include any PII-bearing scopes.

In the event of a confirmed security incident affecting Amazon marketplace data, we will notify Amazon within 24 hours of discovery, as required by the DPP, and notify affected customers without undue delay.

Monitoring and Incident Response

Production services emit structured logs, metrics, and traces to a dedicated observability cluster (Prometheus, Loki, Grafana, Glitchtip). Anomalies — error-rate spikes, authentication failures, unexpected access patterns — page the on-call engineer through Slack and PagerDuty.

Our incident response process has four stages: triage, containment, eradication, and post-incident review. Every high-severity incident receives a written post-mortem within ten business days, and systemic fixes are tracked to completion.

Secure Development

Every change to the codebase passes through code review and automated security tooling before it can be merged. Go code is linted with gosec (injection, credential, and crypto checks) and govet. Container images are scanned with Trivy on every push, and CI fails on any CRITICAL or HIGH finding. We maintain a dedicated main branch protection policy that requires all status checks to pass before merge.

Data Retention and Deletion

Customer data is retained while your subscription is active and deleted within 90 days of account closure (including backups). If you revoke Peaklyst's SP-API authorization in Seller Central, we stop accessing your Amazon data immediately and delete the stored marketplace data within 30 days. See the Privacy Policy for full details on retention windows.

Reporting a Vulnerability

We welcome reports from security researchers. If you believe you have discovered a vulnerability in the Peaklyst platform, please email [email protected] with a detailed description, reproduction steps, and your contact information. We will acknowledge your report within 48 hours and provide a remediation timeline.

We ask that you give us reasonable time to investigate and fix before disclosing publicly, that you do not exfiltrate data beyond what is necessary to demonstrate the issue, and that you do not disrupt the service for other customers. We will not pursue legal action against researchers acting in good faith under these guidelines.

Compliance

Peaklyst's controls are designed to meet GDPR (EU/EEA), CCPA (California), and Amazon's SP-API Data Protection Policy. As an EU-based operator, we comply with Luxembourg and European data protection law under the supervision of the Commission Nationale pour la Protection des Données (CNPD).

Contact

For questions about our security posture, to request our security documentation, or to report a concern, contact us at:

• Security & privacy: [email protected]
• General inquiries: Contact page