Marketplace Security Controls

Incident Management, Credential Management & Network Data Security Policy

This public policy explains how OTOECOM manages security incidents, protects credentials, restricts marketplace access, and secures network and data handling for Amazon, Flipkart, Meesho and other ecommerce platforms.

Applies to Amazon, Flipkart, Meesho and other portals Publicly accessible security policy page
Policy Scope

Security controls for marketplace services across seller portals and ecommerce systems

This policy applies whenever OTOECOM handles seller data, customer PII, marketplace access, API tokens, reports, catalog files, order information, support screenshots or operational data for an approved seller service.

AMZ

Amazon and Amazon SP-API related services

Amazon data is handled under Amazon's data protection, acceptable use, role access and security-control expectations.

  • Seller Central user permissions and role-based access
  • SP-API tokens, application credentials and restricted data where applicable
  • Incident escalation and notification where Amazon data is affected
FKM

Flipkart, Meesho and Indian marketplaces

Seller panel access, order data, payment reports, catalog details and shipment records are handled only for approved seller work.

  • Sub-user access preferred over shared master passwords
  • Buyer and order data used only for service delivery
  • Access removed when work is complete or no longer required
D2C

D2C stores, Shopify, WooCommerce and tools

Store, logistics, ad, analytics and support tool access is controlled using least-privilege and purpose-limited processing.

  • Authorized account invitations are preferred over credential sharing
  • Exports and reports are minimized, redacted or deleted when no longer needed
  • Access activity is reviewed when service scope changes
OPS

Internal support, training and operations

Internal notes, screenshots, case records, performance reports and training data are protected by access controls and retention rules.

  • Only assigned team members access seller files
  • Sensitive screenshots are redacted where practical
  • Suspicious activity is escalated through the incident process
Security Control Areas

Incident response, credential protection and network defense work together.

OTOECOM treats these controls as one connected security process. Incidents are handled quickly, credentials are protected from exposure, and network/data systems are restricted, monitored and reviewed.

01

Incident Management

Security events are identified, classified, escalated, contained and reviewed through a documented response process.

  • Preparation, identification, containment, eradication, recovery and lessons learned.
  • Defined roles, escalation paths and incident point of contact.
  • Marketplace, seller and legal notifications where required.
02

Credential Management

Credentials, API keys, tokens and user access are protected through least-privilege and controlled authorization.

  • No hardcoded credentials in source code, documents or public repositories.
  • MFA, password hygiene, access reviews and timely revocation.
  • Secure credential stores and rotation schedules where applicable.
03

Network & Data Security

Marketplace data is protected using secure transfer, access control, encryption, malware protection and monitoring.

  • Firewalls, access control lists, segmentation and restricted administrative access.
  • Endpoint protection, anti-malware updates, logging and alerting.
  • Secure storage, data minimization and controlled exports.
Incident Management

How security incidents are handled

A security incident may include unauthorized access, suspected credential exposure, malware detection, abnormal API activity, accidental data disclosure, loss of marketplace data, or any event that may affect confidentiality, integrity or availability of seller or customer information.

01
Reviewed response plan

Incident procedures are reviewed at least every six months and after major process, platform or infrastructure changes.

02
Escalation ownership

Each incident is assigned to an accountable owner with internal escalation and seller communication responsibility.

03
Marketplace notification

Where Amazon data is affected, OTOECOM notifies Amazon within 24 hours of detection where required and follows the relevant marketplace notification process.

PREP

Prepare and prevent

Maintain contact lists, escalation rules, access inventories, backup procedures, security awareness, credential controls and incident checklists for seller portal and marketplace data events.

ID

Identify and classify

Review alerts, unusual login behavior, abnormal API usage, suspicious exports, malware warnings, seller reports or employee observations to determine severity, affected systems and affected marketplaces.

STOP

Contain and eradicate

Limit impact by revoking exposed credentials, disabling access, blocking suspicious sessions, isolating affected files, pausing unsafe exports, rotating keys and removing malicious or unauthorized activity.

REC

Recover and validate

Restore approved service access only after validation, confirm that affected credentials or files are secured, document remediation, and verify that business operations can resume safely.

DOC

Notify and learn

Document the incident timeline, root cause, affected data, decisions, notifications, corrective actions and lessons learned. For Amazon data incidents, Amazon is notified within 24 hours of detection where required.

Credential Management

How credentials, tokens and seller portal access are controlled

OTOECOM does not request master passwords, OTPs or personal login sessions unless a seller voluntarily provides temporary supervised access for a permitted support purpose. Wherever possible, official sub-user access, role permissions or authorized integrations are used.

No hardcoded or public credentials

Sensitive credentials are not stored in website code, source files, public repositories, documents, screenshots or shared notes.

  • API keys, tokens and passwords are never published.
  • Configuration files are reviewed before sharing or deployment.
  • Production and testing access are kept separate where applicable.

Secure storage and limited access

Credentials and seller access details are stored only in approved, access-controlled systems and shared only with authorized personnel who need them for the service.

  • MFA is required wherever the platform supports it.
  • Shared team access is avoided; named user access is preferred.
  • Credential access is logged or traceable where practical.

Rotation, revocation and access review

Access is reviewed periodically and removed when employees leave, service ends, the seller requests revocation, or the permission is no longer required.

  • Marketplace sub-user access is reviewed at least quarterly where applicable.
  • Exposed or suspected credentials are rotated immediately.
  • Departed employee access is disabled within 24 hours where under OTOECOM control.

Least-privilege user access

Team members receive only the access needed for assigned tasks such as catalog work, ads, reporting, order support, training or account health support.

  • Admin access is avoided unless required and approved.
  • Seller data is not downloaded unless needed for the approved task.
  • Access is reduced when service scope narrows.

Platform-specific credential handling

Amazon, Flipkart, Meesho and other platforms may provide different access models. OTOECOM follows the stricter platform rule where a marketplace requirement is stricter.

  • Amazon roles and SP-API credentials are protected as sensitive data.
  • Flipkart and Meesho panel access is restricted to assigned work.
  • D2C store and ad-tool access is revoked after engagement completion.

Password and login hygiene

Passwords are required to be strong, unique and protected. Suspicious login patterns, repeated failed attempts or unauthorized sharing are escalated for review.

  • Passwords should not be reused across seller platforms.
  • OTP sharing is avoided and never stored after a support session.
  • Personal devices and unsecured apps are not approved credential stores.

If any credential, token, seller portal access, API key or authorization appears exposed, OTOECOM treats it as a security incident, revokes or rotates the credential where possible, reviews affected activity, documents the event and informs the seller or marketplace when required.

Network & Data Security

Network controls protect seller portals, exports, reports and customer data.

OTOECOM uses layered controls to reduce unauthorized access, data leakage, malware risk, credential misuse and accidental exposure across marketplace, support and reporting workflows.

Access control Approved users, least privilege, MFA where supported and role-based restrictions.
Network defense Firewalls, access control lists, segmentation and restricted admin paths.
Data protection Secure transfer, encryption where applicable, minimization and controlled exports.
Monitoring Log reviews, malware alerts, unusual access investigation and incident escalation.
FW

Firewall and access control rules

Administrative systems and marketplace workstations are protected with firewall controls, approved access rules and restrictions that reduce unauthorized network traffic.

SEG

Segmentation and least access

Access is separated by role, department, service need and platform. Seller data is kept inside approved tools and is not copied into uncontrolled personal storage.

MFA

Authentication and login monitoring

Multi-factor authentication is used wherever supported. Suspicious login attempts, unusual access times or repeated failures are reviewed and escalated.

ENC

Secure transfer and encryption

Sensitive files, exports, reports and credentials are transmitted through secure channels. PII and credentials are encrypted or stored in protected systems where applicable.

AV

Anti-malware and endpoint protection

Company devices used for marketplace services are expected to run updated anti-malware protection, security updates and scans to reduce infection risk.

LOG

Logging, monitoring and evidence

Access logs, support records, incident notes and marketplace activity evidence are reviewed when needed for security investigation, misuse detection and incident response.

Marketplace Commitments

Same security discipline across Amazon, Flipkart, Meesho and other portals

OTOECOM follows the relevant marketplace rule and applies the stricter control where a marketplace, law, seller agreement or security requirement demands a higher standard.

01

Amazon and Amazon SP-API

Strictest Review Focus

Amazon data, SP-API credentials, Seller Central permissions and customer PII are handled according to Amazon data protection and security expectations.

  • Amazon credentials are protected, not hardcoded and not exposed publicly.
  • Amazon-related incidents are investigated, documented and notified where required.
  • Network and endpoint controls are maintained for systems that process Amazon data.
02

Flipkart seller data

Controlled Access

Flipkart seller panel access, catalog data, order data, shipment details, returns, payment reports and advertising reports are used only for approved seller services.

  • Access is limited to assigned personnel and service purpose.
  • Credentials are not stored in public files or shared informally.
  • Suspicious seller panel activity is escalated and reviewed.
03

Meesho seller data

Limited Purpose

Meesho seller information, listing data, logistics information, orders, returns, payments and customer delivery details are processed only for the seller's requested service.

  • Buyer and logistics data are not reused for unrelated activity.
  • Access is removed or reduced when the work is complete.
  • Incidents involving Meesho data are handled through the same response lifecycle.
04

Other portals, ad tools and ecommerce systems

Same or Stricter

For Shopify, WooCommerce, logistics tools, ad accounts, analytics tools, D2C stores and other ecommerce platforms, OTOECOM applies purpose limitation, least privilege and secure handling.

  • Only approved business users access seller systems.
  • Reports and exports are minimized, protected and retained only as needed.
  • Credential or network incidents are documented and escalated promptly.
Security requests and incident reporting

Need to report credential exposure, suspicious access or a data security issue?

Contact OTOECOM with your seller account name, marketplace, incident description, affected data if known, time of detection and authorized contact details. OTOECOM will verify, investigate and respond according to this policy.