Qorlo Security Policy

Last updated: 17 May 2026

Qorlo is designed to protect seller operational data, credentials, and Amazon Information through layered technical and organizational controls.

Access Control

Access to production systems and seller data is limited to authorized personnel and service accounts based on job duties. Administrative access uses strong-password requirements and multi-factor authentication where available. Access should be reviewed periodically and removed when no longer required.

Credential Handling

Credentials, encryption keys, OAuth secrets, and access tokens must not be committed to public repositories, shared in chat, or hard-coded into application code. Secrets are stored in local environment configuration or secret storage appropriate for the deployment environment, masked in normal responses, and rotated when exposure is suspected.

Encryption

Qorlo uses HTTPS/TLS for data in transit. Sensitive stored credentials are masked in API responses and should be encrypted or stored through secret-management controls in production deployments.

Network And System Security

Production deployments should use firewalls, provider security groups, malware protection where applicable, least-privilege network access, backup controls, and logging or monitoring suitable for the deployment environment.

Development And Release Controls

Code changes should be reviewed and verified before production release. Production deployments should avoid debug mode, broad CORS, public secret exposure, and unnecessary network access.

Incident Response

Security incidents involving Amazon Information are reviewed promptly. If an incident affects Amazon Information, Qorlo will follow incident-response procedures and notify Amazon at security@amazon.com within 24 hours of detection when required. Incidents involving personal information are assessed for legal notification obligations, including whether affected individuals and the Office of the Australian Information Commissioner should be notified under Australia's Notifiable Data Breaches scheme.

Reviews

Security controls and incident-response procedures should be reviewed at least every six months and after material architecture or process changes.

Contact

Questions or security notices can be sent to silvergoldteq@gmail.com.