Security

Last updated: April 20, 2026

Press & Galley handles data that matters to you — your Amazon Advertising performance, your campaigns, your earnings. This page describes how we protect that data and how to report security issues.

How we protect your data

Encryption

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using industry-standard AES-256. Database backups are encrypted with separate keys.

Access to your Amazon account

We never see or store your Amazon password. We connect to your Amazon Advertising account only through Amazon's official Login with Amazon (LWA) OAuth flow. Access tokens are encrypted in our database and rotated according to Amazon's specifications. You can revoke our access at any time from your Press & Galley dashboard or directly from your Amazon account settings.

Infrastructure

Our infrastructure runs on reputable cloud providers (Vercel for web hosting, AWS for backend services) that maintain SOC 2 Type II and ISO 27001 certifications. We follow the principle of least privilege for internal access, and all production access requires multi-factor authentication.

Development practices

We follow secure development practices including code review, dependency scanning, and regular security updates. We use automated tools to detect common vulnerabilities and respond to security advisories promptly.

Data minimization

We collect only the data needed to provide the Service. We don't request broader Amazon permissions than necessary, and we don't store Amazon data longer than required to deliver the Service or comply with law.

Amazon Ads Partner Network compliance

Press & Galley complies with the Amazon Ads Partner Network Policies. Specifically:

• We do not solicit, collect, store, or proxy Amazon login credentials. All access is via OAuth.
• We maintain administrative, physical, and technical safeguards for Amazon Data consistent with industry standards.
• We respect Amazon's API throttling limits and implement exponential backoff, queuing, and error handling.
• We have documented processes for responding to data privacy and security incidents.
• We do not share Amazon Data with unauthorized third parties.

Reporting a security issue

If you believe you've found a security vulnerability in Press & Galley, please report it responsibly. We appreciate your help keeping our users safe.

How to report

Email security@pressgalley.com with:

• A description of the vulnerability
• Steps to reproduce it
• The potential impact you've identified
• Any relevant screenshots or proof-of-concept code

Our response

We commit to:

• Acknowledge your report within 2 business days
• Investigate and provide an initial assessment within 5 business days
• Keep you informed of our progress toward a fix
• Credit you publicly (with your permission) once the issue is resolved

Safe harbor

We will not pursue legal action against security researchers who:

• Report vulnerabilities in good faith
• Do not access, modify, or delete user data beyond what's necessary to demonstrate the issue
• Do not perform denial-of-service attacks, spam, or social engineering against our users or staff
• Give us reasonable time to address the issue before public disclosure (typically 90 days)

Incident notification

If we experience a security incident that affects your data, we will notify affected users without undue delay, and in any case within the timeframe required by applicable law. Notifications will describe what happened, what data was affected, what we've done in response, and what you can do to protect yourself.

Data deletion

You can disconnect your Amazon account and delete your Press & Galley account at any time from your dashboard. Upon account deletion, we delete your personal data and associated Amazon Ads data within 30 days, except where retention is required by law. See our Privacy Policy for details.

Contact

Security issues: security@pressgalley.com
Privacy questions: privacy@pressgalley.com
General inquiries: hello@pressgalley.com