Home
📚 All Learning Resources
🚨 Crisis & Emergency Violation Recovery Center
📋 Policy & Compliance Business Days Guide
🔧 Integration Why Tools Fail
💎 ROI & Success Survival ROI Calculator
🛠️ All Tools
🚨 Compliance & Risk 📊 LDR Risk Calculator ⏰ Business Day Calculator
💰 Financial Calculators 💰 Revenue Impact ⚠️ Suspension Cost 📊 Platform Comparison
🛡️ SellerOps Value 🛡️ Protection ROI
Pricing Start Free Trial

Security at SellerOps

Your store data is protected by enterprise-grade encryption, isolated infrastructure, and transparent data practices. We handle your TikTok Shop connection with the same care you give your business.

🔐 KMS Encrypted
☁️ AWS Hosted
🛡️ PCI SAQ-A
GDPR-Ready

Data Protection

Encryption

At Rest

  • OAuth tokens encrypted with AWS KMS
  • Tokens stored in AWS Secrets Manager
  • Database stores ARN references only
  • PostgreSQL RDS with encryption enabled
  • S3 buckets use SSE-KMS encryption

In Transit

  • TLS 1.2+ enforced on all connections
  • HTTPS required for all endpoints
  • Secure webhook communication with TikTok

Data Access

We Access

  • Order data (IDs, timestamps, status, totals)
  • Ship-to addresses (for shipping labels)
  • TikTok Shop connection via OAuth

We Never Access

  • Payment or credit card information
  • Your TikTok login credentials
  • Buyer personal accounts or financial data
  • Banking or payout information

We collect only what's necessary to ship orders and monitor SLAs. No payment data touches our servers — Stripe handles all billing. Your TikTok credentials stay with TikTok.

Infrastructure Security

Cloud Hosting

SellerOps runs entirely on Amazon Web Services (AWS) in the us-east-1 region (Northern Virginia). We leverage AWS's SOC 2 Type II certified infrastructure for compute, storage, and networking.

Network Isolation

  • Webhook handlers run outside VPC for fast response (no database access)
  • Database operations run inside VPC via RDS Proxy
  • NAT Gateway provides controlled outbound access
  • Strict security groups limit traffic between components

Database Security

  • PostgreSQL on RDS with Multi-AZ deployment
  • Point-in-Time Recovery (PITR) enabled
  • Encryption at rest via AWS KMS
  • Connections via RDS Proxy with IAM authentication
  • No direct database access — all operations through authenticated APIs

Access Control

Authentication

  • User authentication via Clerk-issued JWT tokens
  • All API routes require valid JWT (except health checks)
  • Session management with secure token handling and expiry

Authorization

  • Role-based access control (Admin and Staff roles)
  • Tenant isolation — customers see only their data
  • Least-privilege IAM policies for each Lambda function
  • Explicit denies prevent webhooks from accessing secrets

Webhook Security

Every TikTok webhook is verified using HMAC signature validation before processing. Invalid signatures are rejected immediately and logged for security monitoring.

Compliance & Certifications

PCI SAQ-A Compliant

No card data touches SellerOps. Stripe handles all payment processing via hosted checkout.

GDPR-Ready

Data deletion workflow implemented. EU hosting planned for future expansion.

TikTok API Security

Webhook signature verification, OAuth best practices, secure token storage.

🔄

TikTok Partner Checklist

Security documentation in progress for partner application.

📋

SOC 2 Type I (Planned)

Evaluating timeline based on customer requirements.

We list only certifications we've achieved. Our security controls are aligned with SOC 2 requirements, and we'll update this page as we complete formal certification.

Data Handling Practices

Retention

Data Type Retention Period
Orders & Shipments 180 days
Event logs 90 days
Compliance audit trail 365 days (then archived)
Database backups 30-day rolling

Deletion

Request data deletion by emailing [email protected]. We process all deletion requests within 7 business days. Deletion cascades to all associated records including order data, events, and store connections.

Third-Party Data Sharing

We share data only with services essential to SellerOps's operation:

  • TikTok Shop — Order sync via official API
  • Stripe — Payment processing only (PCI SAQ-A)
  • AWS — Infrastructure provider (SOC 2 certified)
  • Loops.so — Transactional email delivery
  • Slack — Alert delivery (Defender/Operator tiers)
  • Twilio — SMS alerts (Operator tier only)
  • EasyPost/Shippo — Label purchasing (future feature)

We never sell, rent, or share your data with advertisers or data brokers.

Incident Response

Monitoring

  • CloudWatch alarms for critical events
  • P1 alerts: Webhook failures >1%, queue delays >60s
  • 24/7 automated monitoring with on-call escalation

Response Timeline

Phase Timeline
Detection & Triage Within 24 hours
Customer Notification Within 72 hours
Full RCA Published Within 7 days

Notification Process

If a security incident affects your data, we notify you within 72 hours with: scope of impact, affected data types, remediation steps taken, and recommended actions on your end.

Frequently Asked Questions

SellerOps accesses order data including order IDs, timestamps, status, ship-to addresses, and totals via TikTok's OAuth API. Watcher Mode uses read-only access. We never access your TikTok login credentials, payment information, or buyer financial data.
All data is stored in AWS us-east-1 (Northern Virginia). We use encrypted RDS PostgreSQL databases and S3 storage with KMS encryption. For UK/EU customers, we're evaluating regional hosting options.
OAuth tokens are encrypted with AWS KMS and stored in AWS Secrets Manager. Our database only stores ARN references — never the tokens themselves. Tokens are decrypted at runtime in isolated Lambda functions and never logged.
Yes. Email [email protected] with your deletion request. We process all requests within 7 business days. Deletion removes your account, store connections, order data, and all associated records permanently.
SellerOps is PCI SAQ-A compliant. We never store, process, or transmit credit card data — all payment processing goes through Stripe's hosted checkout. Your card information never touches our servers.
We're evaluating SOC 2 Type I certification. Our security controls are aligned with SOC 2 requirements, and we've implemented encryption, access controls, and audit logging consistent with the framework. We'll update this page when certification is complete.

Security Inquiries

Security Team

[email protected]

Security questions, vulnerability reports, and compliance inquiries.

Response Time

Security inquiries: 2 business days
Vulnerability reports: 48 hours
General support: 1 business day

Responsible Disclosure

If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond within 48 hours. Please include steps to reproduce and avoid accessing or modifying other users' data.

Ready to protect your TikTok Shop?

Join sellers who trust SellerOps to monitor their SLAs and prevent late dispatch violations.

Start 14-Day Free Trial

Join the Waitlist

Be first when this plan launches



    🎉

    You're on the list!

    We'll notify you when this plan becomes available.