Security at Mirox
Mirox runs on your real Amazon account and your real ad budget. The security model treats every layer as if a determined attacker is already past the previous one. This page lists the measures in plain language, aligned with Article 32 GDPR and Amazon's Data Protection Policy.
Last updated: 2026-05-10
Encryption everywhere
Seller OAuth tokens are encrypted with AES-256-GCM (96-bit random nonce, 128-bit authentication tag) before they touch the database. Production refuses to boot without the encryption key — no silent ephemeral fallback. TLS 1.2+ on every public endpoint, with HSTS preload and OCSP stapling. User passwords are bcrypt-hashed (cost factor 12).
EU-resident infrastructure
Primary deployment is a managed VPS hosted by Hostinger in Lisbon, Portugal. Disk-level encryption at the hypervisor (LUKS) plus application-level encryption for the high-value secrets. Postgres listens only on the internal Docker network and the engine port is bound to loopback. Where a sub-processor sits outside the EEA, transfers ride on the EU SCCs (Decision 2021/914) with encryption and access controls as supplementary measures.
Tenant isolation, top to bottom
Every API endpoint, database query, and background job is scoped to a tenant_id derived from a signed JWT delivered as an HttpOnly cookie. Cross-tenant access is restricted to developer-admin accounts and is recorded in an append-only audit log. The application layer is the enforcing boundary — there is no shared connection pool that could leak across tenants.
Least privilege and MFA
Three-tier role model: User · Tenant Admin · Developer Admin. The cross-tenant superuser tier requires TOTP, with one-shot bcrypt-hashed recovery codes. No shared credentials. Time-bounded server access via individual SSH keys. Encryption keys, Stripe keys, and database credentials live in environment variables on the production host — never in source control — and are rotated on a quarterly cadence.
Buyer PII is never requested
PPC bid optimisation does not need buyer Personally Identifiable Information, so Mirox does not call buyer-PII endpoints (e.g. /orders/v0/orders/{id}/buyerInfo, /orders/v0/orders/{id}/address). On the order-summary endpoints we do call, the dataElements parameter is omitted, which instructs Amazon to return only non-PII fields — order id, total, status, marketplace, and purchase date. A field that is never received cannot be leaked. As defence in depth, our log redactor and cache writer would strip any buyer fields if Amazon ever returned them.
Breach response with dual clocks
For breaches involving Amazon Information, Amazon is notified within 24 hours of confirmation per the Data Protection Policy. For breaches affecting customer Personal Data, the customer is notified within 72 hours per GDPR Article 33. Where both apply, the Amazon clock takes precedence. Documented incident-response runbook, severity matrix, and on-call rotation; quarterly tabletop exercises.
30-day deletion commitment for Amazon Information
When you disconnect your Amazon account or cancel your subscription, all of your Amazon Information is hard-deleted from production systems within 30 days via an automated, idempotent purge that cascades across every tenant-scoped table (OAuth tokens, catalog, pricing, order summaries, agent decision traces, configuration). You can request immediate deletion (skipping the 30-day clock) by emailing privacy@mirox.pt. See the retention table in the Privacy Policy for the per-class windows.
Continuous security scanning gates every deploy
Every push and every pull request triggers an automated security workflow: dependency vulnerability scanning (pip-audit), Python static analysis (bandit), container image scanning (trivy image), and filesystem secret & misconfiguration scanning (trivy fs). High and Critical findings fail the build. Production deploys never start when scans fail. Scan reports are retained for 30 days as evidence.
Append-only audit log of Amazon Information access
Every read of Amazon Information by a human user is recorded in an append-only audit_log table: who, what tenant, what resource, what action, when, IP, user-agent. A Postgres trigger rejects any UPDATE and rejects DELETE outside the retention sweep. Cross-tenant developer-admin reads are namespaced with an admin_ prefix so they stand out in review. Retention is 365 days — longer than the DPP minimum of 90 days.
What we have not certified yet
Mirox is a 2026 launch. We are early. We do not claim ISO 27001 or SOC 2 Type II until those audits are complete and the reports are signed. We will publish the report letter on this page the day it lands.
- In place·GDPR Article 28 DPA (/legal/dpa), EU SCCs 2021/914, EU residency in Lisbon, AES-256-GCM at rest, TLS 1.2+ in transit, tenant-scoped query enforcement, MFA on cross-tenant administrators, append-only audit log, data minimisation on Amazon SP-API (no buyer-PII endpoints called), 30-day deletion-on-disconnect.
- In progress·Independent third-party penetration test focused on the OWASP Top 10 and Amazon DPP scope. SOC 2 Type II readiness assessment.
- Not started·ISO 27001. We will scope this once founding-cohort feedback informs the control set.
Reporting a vulnerability
If you believe you have found a security issue affecting Mirox — the marketing site, the customer dashboard, the production API, or the agents — email security@mirox.pt. Please include reproduction steps and the affected component. We acknowledge within 2 business days and assign a severity with a remediation plan within 5 business days of acknowledgement. A PGP key is available on request from the same address.
We follow coordinated disclosure: please refrain from accessing data belonging to other tenants, from running denial-of-service attacks against production, and from publishing details before we have shipped a fix. We will credit you publicly with your consent.
No legal action will be taken against good-faith research conducted under coordinated disclosure.
Security: security@mirox.pt · Privacy: privacy@mirox.pt · Support: support@mirox.pt
Mirox, LDA · NIPC PT517994160 · Castelo Branco, Portugal · Legal notice