Browse categories
Explore
Fiverr Pro
English
$
USD
Our agency will perform amazon sp API penetration testing and dpp compliance audit
CREST accredited security testing for high trust organisations
RedSecLabs is a UK CREST accredited, Swift, PCI QSA accredited cybersecurity firm delivering penetration testing, PCI DSS, SOC 2, ISO 27001 readiness, incident response and security advisory services....
Vetted by Fiverr Pro
REDSECLABS was selected by the Fiverr Pro team for their expertise.
Vetted for
Cybersecurity
About this Gig
RedSecLabs is a UK CREST accredited, SWIFT, PCI QSA accredited cybersecurity firm delivering penetration testing, PCI DSS, SOC 2, ISO 27001 readiness, incident response and security advisory services.
We perform penetration testing and Amazon Data Protection Policy (DPP) compliance
audits for Selling Partner API (SP-API) applications. Required annually for
restricted SP-API access and subject to Amazon review.
WHAT WE TEST
- Login with Amazon (LWA) OAuth flow and token handling
- Refresh token storage, rotation and revocation
- Restricted Data Token (RDT) lifecycle and scoping
- IAM roles, AWS credentials and STS assumption chains
- PII data flow, encryption (AES-256 / RSA-2048) and retention
- Role based access controls and approved-user enforcement
- Logging, monitoring and SIEM coverage (90-day minimum)
- Incident response plan (24-hour notification requirement)
- Multi-tenant isolation for SaaS providers
COMMON USE CASES
- Annual DPP pentest for restricted operations
- 180-day vulnerability scan cycle
- Pre application audit before Restricted Role submission
- Remediation after a failed security review
Clients We’ve worked with
Bykea
Mobile App Development
Provided cyber security consulting for Bykea to strengthen their overall security posture. Developed a Cyber Security Framework specifically for developers, integrated DevSecOps practices, and significantly improved their Vulnerability Disclosure.
Feb 2023
Portfolio
FAQ
Why does an SP-API application need a penetration test?
Amazon's Data Protection Policy requires an annual penetration test for applications performing restricted operations (anything touching PII). It also requires vulnerability scans every 180 days. Without these, restricted role access can be revoked.
Will Amazon's review team accept the report?
Reports are formatted to map directly to the DPP control sections Amazon reviewers assess. Outcomes are determined by Amazon.
Do you cover the application and the AWS infrastructure behind it?
Yes. Both are tested. The LWA OAuth flow, RDT handling, refresh token storage, IAM, KMS, S3, Lambda execution roles and data egress paths.
We failed Amazon's security review, can you help us recover?
Yes. We audit against the specific failure points Amazon flagged, support remediation and produce a submission-ready report.
Do you cover both seller-side and vendor-side SP-API integrations?
Yes. Including hybrid implementations and delegatee applications using RDTs received from a delegator.
We have no restricted operations, do we need this?
If you do not perform restricted operations, the annual DPP pentest is not required. We will confirm this in scoping and not sell you something you do not need.
