How we protect your data

Credential Encryption

The only persistent secret we store is Amazon's OAuth refresh token. It is encrypted at the application layer using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before being written to the database. Even if the database is compromised, tokens are unusable without the separate encryption key.

Access tokens are never stored. They expire in 60 minutes and are minted on-demand from the refresh token, held only in memory for the duration of the API call.

OAuth2 Authorization

Rel.ai connects to your Amazon Ads account via the Login with Amazon (LWA) OAuth2 authorization code grant flow. You sign in directly with Amazon — we never see or handle your Amazon password.

The authorization request includes a cryptographic CSRF state token to prevent code injection attacks. Only users with admin or owner roles on a tenant can initiate or revoke a connection.

Reference: LWA Authorization Code Grant

Disconnect & Data Deletion

When you disconnect your Amazon Ads account, Rel.ai performs a complete and secure wipe:

• Encrypted token overwritten

  The encrypted refresh token is overwritten with random bytes before the row is deleted, preventing recovery from database WAL segments, dead tuples, or backups.

• All profiles deleted

  Associated advertising profiles (account names, profile IDs, country codes) are removed via cascading delete at both the application and database levels.

• Audit trail logged

  Every disconnection is logged with the tenant, region, and user who performed it — no token data is included in the log.

• Amazon-side revocation guidance

  After disconnect, you're guided to fully revoke access from your Amazon account at Login with Amazon Settings for complete server-side token invalidation.

Tenant Isolation

Rel.ai is a multi-tenant platform where each organization's data is strictly isolated. Amazon Ads connections are scoped to a tenant — one tenant can never access another's credentials or advertising data.

Role-based access controls enforce that only admin and owner roles can connect, disconnect, or manage Amazon Ads integrations. All tenant members can view connection status and trigger report pulls.

Amazon Policy Compliance

Our integration aligns with the following Amazon data protection and API policies:

• Login with Amazon Services Agreement

  All user data received from Amazon is deleted upon disconnect. Users can request deletion at any time via the dashboard disconnect flow. View policy

• Amazon Ads Partner Network Policies

  Amazon data is used only to provide the approved service functionality. We do not cache, store, or retain data beyond its intended use. Credentials are never solicited, proxied, or transferred. View policy

• Amazon Ads API Scope & Authorization

  Access is limited to the advertising::campaign_management scope. Authorization follows the OAuth2 code grant flow with CSRF protection. View docs

• SP-API Data Protection Policy (reference)

  Encryption at rest meets the AES-128+ / RSA-2048+ requirement. Refresh tokens are encrypted with Fernet (AES-128-CBC) and the key is stored separately from the database. View policy

• Amazon Ads Data Retention

  No advertising data is retained beyond what is actively needed for reports. Amazon Ads data within Amazon's own systems is retained for no longer than 13 months. View FAQ

Infrastructure Security