Shelfdoc
Trust

Security at Shelfdoc

How we protect your Amazon SP-API credentials, seller inventory data, and account information — described with enough specificity that Amazon Appstore reviewers and your own technical team can verify each claim.

Last reviewed·April 27, 2026

1. Overview

  • Shelfdoc is operated by PGBDIC LLC (doing business as Shelfdoc), the legal entity that contracts with customers under the Terms of Service.
  • Shelfdoc is a business-to-business SaaS tool for Amazon FBA sellers managing expiration-dated inventory.
  • We connect to your Amazon seller account through the official Selling Partner API (SP-API) over OAuth. We do not access buyer information, customer addresses, or order PII.
  • All connections to and from Shelfdoc use TLS. Sensitive credentials are encrypted at rest. Per-account data isolation is enforced at the database layer.
  • The Service is currently focused on the United States marketplace (ATVPDKIKX0DER). Other marketplaces are roadmap items, not committed at launch.

2. Amazon data we access

Shelfdoc connects to Amazon Selling Partner API (SP-API) on your behalf using the OAuth refresh token you issue during the seller authorization flow. We call only the endpoints needed to track expiration dates, run FEFO pricing, and submit Disposal Requests:

  • Read your current FBA inventory (FBA Inventory Reports).
  • Read the expiration dates Amazon recorded at receiving (Inbound Plans).
  • Submit FEFO price updates per MSKU (Listings Items API).
  • Submit fulfillment-channel flips and Disposal Requests on your authorization (Feeds API).
  • Read sales-velocity context that feeds the dashboard’s priority signals (Restock Inventory Report).
  • Read the FBA customer returns report to surface ASIN-level Bin Check opportunities. Buyer comments are dropped at parse time; no buyer name, address, or comment is ever written, logged, or displayed.

Shelfdoc submits requests to Amazon at your direction. Amazon controls the outcome— for example, whether and when a Disposal Request is processed, or whether a price change is reflected on a listing. The Service shows honest status (applied, partial, error, no connection, no changes) so you always know what was actually accepted.

3. Amazon data we do not access

We do not call:

  • Amazon Order endpoints
  • Amazon Customer endpoints
  • Any endpoint that returns buyer names, addresses, phone numbers, email addresses, or other personally identifiable information about your customers
  • Any endpoint that returns financial settlement detail

No buyer PII is collected, stored, or transmitted. This is a structural property of the Service, not a configuration setting — the relevant SP-API roles are not requested from Amazon during application registration.

4. Encryption and credential protection

  • Refresh tokens at rest: Amazon refresh tokens are encrypted with AES-256-GCM before being persisted. The encryption key (AMAZON_TOKEN_ENCRYPTION_KEY) is held in Vercel environment configuration, separate from the database.
  • Other credentials at rest: Supabase encrypts all data at rest with AES-256 by default. Passwords are hashed by Supabase Auth — Shelfdoc never sees, stores, or logs plaintext passwords.
  • In transit: every connection between your browser, Shelfdoc, Amazon SP-API, Stripe, Resend, and Supabase uses TLS 1.2 or higher. HTTP requests are auto-redirected to HTTPS.
  • Server-side logging: we explicitly redact authorization codes, refresh tokens, access tokens, full request and response bodies for token-exchange paths, email addresses tied to user IDs, and full Postgres error envelopes from server logs. Logs retain non-sensitive operational identifiers (hashed user IDs, public ASINs, MSKU strings, feed IDs) needed for diagnostics.

5. Access control and isolation

  • Inventory data is isolated per account at the database layer using Supabase Row-Level Security policies on every customer-data table. Customers cannot read another customer's data through normal application paths.
  • The service-role database key is restricted to trusted server-side contexts (background jobs, Stripe webhook handlers, the SP-API client) and is never exposed to the browser.
  • Two-factor authentication via TOTP is available in Settings → Two-Factor Auth. Shelfdoc supports the standard authenticator-app enrollment, verification, and disable flows.

6. Data retention

  • Active inventory data (your tracked MSKUs, expiration dates, mapped removal dates, watchlist): retained while your subscription is active. Mapped rows transition through the lifecycle (Mapped → Recently Expired → Monitoring), but stay queryable on each page along the way.
  • Disposal Requests and Bin Checks: retained while your subscription is active. Disposal Requests carry their Amazon Removal Order ID and the full state history; Bin Check cases carry the Seller Support Case ID, outcome, and seller decision.
  • Inventory rows in Monitoring (archived) status: the underlying inventory_items row is automatically deleted 18 months after archival to keep the operational tables fast. This deletion removes the row, not the history — every event Shelfdoc ever logged for that MSKU stays in your Audit Log.
  • Audit Log — every mapping, edit, Disposal Request, Bin Check decision, alert, and override is logged. The Audit Log is retained for the lifetime of your subscription with no automated purge. You can download a CSV of the full Audit Log at any time from the Activity page (Export), or pull a Support Packet from Settings. Industry standard varies (one to seven years); Shelfdoc's posture is to keep your audit trail intact as long as you're a customer.
  • Subscription and account history: retained for 60 days after subscription cancellation, then permanently deleted by an automated daily job. Download anything you want to keep before the 60-day window closes.
  • Amazon-derived data: when you revoke Shelfdoc's SP-API access in Seller Central, Shelfdoc immediately loses the ability to make further requests on your behalf. Amazon-derived rows persist in your Shelfdoc account until your overall subscription is cancelled (covered by the 60-day cancellation cron above), or until you trigger user-initiated deletion below.

7. Data deletion

  • User-initiated deletion: at any time, from Settings → Account → Delete my data, you can permanently delete your Shelfdoc account and all data scoped to it. The action is gated by a typed confirmation dialog showing exactly which records will be removed (mapped inventory, removal orders, watched ASINs, Amazon connection, subscription). Deletion is immediate and irreversible.
  • Automatic deletion on subscription cancellation: a daily background job removes any account that has been cancelled for more than 60 days. Deletion cascades through every dependent record so nothing is left behind.
  • Revoking Amazon access in Seller Central immediately ends Shelfdoc's ability to call SP-API on your behalf. Shelfdoc's cached records for that connection are removed when your account is deleted (either via user-initiated deletion or via the 60-day cancellation cron).

8. Sub-processors

Shelfdoc relies on a small set of vetted infrastructure providers. Each receives only the data needed to perform its function.

Vercel

Application hosting and serverless functions

All HTTP traffic (TLS-terminated)

Supabase

PostgreSQL and authentication

Account and inventory data. Refresh tokens encrypted at rest before storage.

Stripe

Subscription billing

Email and subscription state. Payment cards never touch Shelfdoc — handled by Stripe directly.

Resend

Transactional email

Recipient email and alert content. No Amazon data.

Anthropic (Claude)

Optional in-app support assistant

Disabled by default. When enabled: question text and up to five help-article excerpts. No Amazon data, no inventory data, no PII.

Amazon SP-API

Inventory, pricing, removal operations

Encrypted refresh token exchanged for short-lived access tokens. Requests carry only your seller-scoped parameters.

9. Incident response

If we detect a security incident affecting customer data, our internal Incident Response Plan applies. The plan defines severity tiers, containment steps, customer communication windows, and post-mortem requirements. Operationally, our commitments are:

  • Customer notification: affected customers are notified by email without undue delay, and within 72 hours of confirmation for incidents involving exposure of seller data.
  • Amazon notification: any incident involving SP-API misuse, token exposure, or breach of the Amazon Data Protection Policy is reported to Amazon Selling Partner Support within 24 hours of confirmation, per the Solution Provider Agreement.
  • Status updates: in-product banners and direct customer email are the primary channels for service-health and incident communication today. A dedicated public status page is on the roadmap; if and when it is live, this section will be updated with the URL.
  • Post-incident report: for confirmed Sev 1 incidents, a post-mortem is published (redacted as needed) within 14 days of resolution.

10. Reporting a security issue

Found a vulnerability or potential security issue? Email security@shelfdoc.com. Please do not file a public issue or post on social media until we have had a reasonable opportunity to investigate and respond. We acknowledge reports within one business day. Researchers who report responsibly will be credited (with permission) on this page.

11. What this page does not claim

Shelfdoc does not currently hold a SOC 2 or ISO 27001 certification, has not commissioned a third-party penetration test, and does not operate a paid bug-bounty program (responsible disclosure with credit is offered instead). Service availability is operated as a best-effort target rather than a numerical SLA. If any of these change, this page will be updated with a revised “Last reviewed” date.

12. Contact

Security: security@shelfdoc.com
Privacy: privacy@shelfdoc.com
General support: support@shelfdoc.com

Related documents: Privacy Policy, Terms of Service.