Data Processing Addendum
Last updated: May 4, 2026
This Data Processing Addendum (“DPA”) supplements the TrueMargin Terms of Service and Privacy Policy. It describes our security and data handling practices for all customer data, with specific detail on data accessed via the Amazon Selling Partner API (“SP-API”).
1. Scope and Definitions
- “Customer Data” means data uploaded by, or collected on behalf of, a TrueMargin customer.
- “Amazon Information” means information accessed through SP-API, including but not limited to: order data, order item data, fee detail, settlement reports, FBA inventory, Advertising API data, and PII of buyers (names, addresses).
- “PII” means Personally Identifiable Information.
- “Subprocessor” means a third-party service provider engaged by TrueMargin to process Customer Data.
2. Roles
For data submitted by the customer or accessed on the customer’s behalf via SP-API: the customer is the data controller; TrueMargin is the data processor. We process Customer Data only on documented instructions from the customer (i.e., the scope authorized through the OAuth grant and configured in the customer’s account).
3. Security Controls
3.1 Network and transport security
- All public endpoints serve traffic over TLS 1.2 or higher.
- HTTP Strict Transport Security (HSTS) is enforced.
- Internal service-to-service communication is encrypted.
- Web Application Firewall and rate limiting are applied at the edge (Vercel).
3.2 Data-at-rest encryption
- Database storage (managed Postgres, Supabase) is encrypted at rest with AES-256.
- SP-API refresh tokens and equivalent credentials are additionally column-level encrypted using
pgsodium/ Supabase Vault. - Backups are encrypted using the same cipher and key management.
3.3 Logical isolation
- Per-tenant isolation is enforced in Postgres via Row-Level Security (RLS) policies on every customer-data table.
- API requests carry a verified Supabase JWT; server-side queries are constrained to the authenticated
seller_id. - Direct customer access to the database is not permitted.
3.4 Identity and access management
- End-user authentication is handled by Supabase Auth. Passwords are hashed using bcrypt.
- Production infrastructure access is limited to a small named set of engineers, requires SSO and MFA, and is logged.
- Secrets are stored in Vercel encrypted environment variables and Supabase Vault. No secrets in source control.
- Access to production data is granted on a least-privilege, audited basis.
3.5 Logging and monitoring
- Application, authentication, and API access logs are retained for at least 90 days.
- Errors are routed to monitoring with alerting on anomalies.
- Failed authentication attempts and unusual access patterns trigger alerts.
3.6 Vulnerability management
- Dependencies are tracked and patched on a regular cadence; critical CVEs in the request path are patched within 7 days of public disclosure.
- Code changes go through review before reaching production.
- Security issues may be reported to security@truemarginhq.com.
3.7 Personnel
- Personnel with access to production data sign confidentiality obligations.
- Access is revoked promptly on role change or departure.
4. Handling of Amazon Information (SP-API)
4.1 Use limitation
- Amazon Information is used solely to operate the TrueMargin service for the seller who authorized us.
- Amazon Information is never used for advertising, retargeting, building general-purpose datasets, training third-party models, or sale of any kind.
- Amazon Information is never combined with data from other sellers in a way that could expose one seller’s data to another.
4.2 PII handling
- PII contained in Amazon Information (buyer names, shipping addresses) is encrypted at rest.
- PII is accessible only to the seller who owns it via the authenticated TrueMargin UI.
- PII is not shared with any subprocessor outside those listed in §6, and only for the purpose of operating the service for that seller.
4.3 Retention and deletion
| Event | Action | Timeline |
|---|---|---|
| Customer disconnects Amazon account | Refresh token deleted; Amazon Information marked for deletion | Within 24 hours |
| Customer deletes their TrueMargin account | All Customer Data, including Amazon Information, deleted | Within 30 days |
| Customer requests early deletion | Manual purge initiated | Within 7 days |
| Encrypted backups | Purged on rotation | Within 90 days |
4.4 Compliance with Amazon policies
We comply with the Amazon Services API Acceptable Use Policy and the Amazon Data Protection Policy. We will provide reasonable assistance, on request, in any audit or compliance review Amazon initiates with respect to our handling of Amazon Information.
5. Data Subject Requests
We assist customers in responding to requests from data subjects (including their own end customers whose PII appears in Amazon Information) for access, correction, deletion, or portability. Requests should be sent to privacy@truemarginhq.com.
6. Subprocessors
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase | Managed Postgres + authentication | United States |
| Vercel | Application hosting and edge CDN | United States |
| Stripe | Subscription billing | United States |
| Plaid | Bank/credit card transaction aggregation (only if customer connects Plaid) | United States |
| Resend (or equivalent) | Transactional email | United States |
Each subprocessor is contractually bound to protect Customer Data with controls equivalent or stricter than those described in this DPA. We will provide notice of new subprocessors at least 30 days before they begin processing Customer Data, where practicable.
7. Incident Response
- We maintain a documented incident response procedure.
- In the event of a confirmed Security Incident affecting Customer Data, affected customers are notified without undue delay and in any event within 72 hours of confirmed discovery.
- Notifications include, to the extent known: nature of the incident, categories and approximate volume of data affected, likely consequences, and measures taken or proposed.
- We cooperate fully with affected customers and Amazon (where Amazon Information is implicated) in investigation and remediation.
8. Audit
Customers may request a summary of our security practices and a current list of subprocessors. For Amazon, we provide such information directly through SP-API developer compliance reviews.
9. International Transfers
TrueMargin operates and stores data in the United States. Where the customer or its end customers are located outside the U.S., transfers are made in reliance on Standard Contractual Clauses or other lawful transfer mechanisms with subprocessors as applicable.
10. Changes
We may update this DPA. Material changes will be communicated to active customers by email and posted here with an updated date.
11. Contact
- Privacy / data: privacy@truemarginhq.com
- Security incidents: security@truemarginhq.com
- General: hello@truemarginhq.com