AES-256 at rest and TLS 1.2+ in transit, stored in the United States, and never used to train any model. Marketplace PII — buyer names, addresses — is automatically purged after 30 days. Every agent action is logged and replayable. You can export everything and leave at any time.One of HOLONA's standing commitments is simple to state: no data leaves the operator's permission scope. This page is that promise written down in technical terms — what we encrypt, what we retain, who can read what, and how you can verify it. It is the companion to our Privacy policy: the privacy policy describes your rights; this page describes the architecture that enforces them.
It is written for the person who has to sign off on connecting a Seller Central account to a third-party tool — an ops lead, an agency's compliance reviewer, or the seller themselves. Our practices align with Amazon's Data Protection Policy (DPP); our handling of Amazon's Business Solutions Agreement is documented separately on the BSA compliance page.
AES-256 using AWS KMS-managed keys. Keys rotate annually.TLS 1.2+ is enforced on every connection — including service-to-service traffic inside our own network, not just the public edge.Every piece of data we hold falls into one of three classes, each with a fixed retention rule and an automated disposal path.
| Class | Examples | Retention | Disposal |
|---|---|---|---|
| Marketplace PII | Buyer names, shipping addresses in order data | 30 days | Automated purge pipeline |
| Operational data (non-PII) | ASINs, ad metrics, inventory levels, pricing history | Up to 18 months | Scheduled deletion |
| Audit logs | Agent decisions, executed actions, trace records | At least 12 months | Postgres with S3 cold-storage rotation |
Marketplace PII is the personal data of your buyers that arrives embedded in order records — names, shipping addresses, and similar fields returned by Amazon's order APIs. HOLONA does not need this data beyond the operational window in which an order is fulfilled, so we do not keep it.
Purging is a pipeline, not a policy document. An automated job identifies PII fields at ingestion, tags them with a 30-day expiry, and deletes them when the clock runs out — no manual step, no batch someone has to remember to run. Derived analytics (order counts, regional aggregates) retain no personal identifiers.
The permission-scope promise is enforced at two levels.
admin, operator, and viewer. Admins manage connections and members, operators run and approve agent actions, viewers read.On the Amazon side, HOLONA connects only through the official SP-API and Ads API, under OAuth scopes you grant — and can revoke at any time from Seller Central. Every API call carries the x-amz-application-id header, so our access is attributable in Amazon's own logs. We do no browser automation and no scraping.
Customer data is never used to train any LLM or ML model — ours or any third party's. Your sales history, ad performance, and pricing strategy are inputs to agents working for you; they are not a corpus. This commitment has no exceptions, no opt-out mechanics, and no "aggregated and anonymized" carve-out.
Every agent decision and every executed action is logged with a replayable trace: what the agent saw, what it decided, what it did, and under whose permission scope. Traces let you reconstruct any action after the fact — for your own review or for a compliance audit. Audit logs are retained for at least 12 months in encrypted storage, in Postgres with rotation to S3 cold storage.
We keep the subprocessor list short. Currently:
Any addition to this list will be reflected on this page before the subprocessor handles customer data.
If we confirm a security incident affecting your data, we target notifying you within 72 hours of confirmation. Notification includes what data was affected, what we know about the cause, and what actions we are taking. We will not wait for a complete root-cause analysis to tell you something happened.
JSON and CSV — at any time, and you receive one at cancellation.Security questionnaires, audit requests, or anything this page does not answer: contact@holona.io. HOLONA Inc. is a Delaware C-Corp; the service is in closed beta as of Q3 2026.