Security & Privacy at M20 Autopilot
Last updated: June 2026
M20 Autopilot is built on a security-first foundation. We protect your Amazon advertising data, account access, and business metrics with strong encryption, strict access controls, and continuous monitoring. This page explains exactly how we keep your data safe, what rights you have over it, and how we respond when things go wrong.
TLS 1.3 Encryption
AES-256 at Rest
SOC 2 Aligned
Zero-Knowledge OAuth
Breach Notice < 72h
Data Deletion in 30d
Pen Tested Biannually
3 Vetted Subprocessors
Data Encryption
All your data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256. Your campaign metrics and advertising data are never stored in plain text, whether moving between systems or sitting in our databases.
Amazon Account Access
We connect to your Amazon account through the official Amazon SP-API using secure OAuth. We never see or store your Amazon password, and you can revoke our access at any time directly from your Amazon account.
Access Controls
We apply strict role-based access and least-privilege permissions. Multi-factor authentication is mandatory for every internal system that touches your data, so only authorized people can access what they truly need.
Secure Infrastructure
Our platform runs on hardened cloud infrastructure with isolated environments, automated security patching, and continuous intrusion monitoring across every region we operate in.
Continuous Monitoring
We use real-time logging, anomaly detection, and automated alerts to identify and respond to suspicious activity quickly, often before it can become a problem.
Session & Token Security
User sessions expire after 24 hours of inactivity and require re-authentication. Amazon OAuth tokens are rotated automatically before expiry. All refresh tokens are stored encrypted and are invalidated immediately upon account disconnection or deletion.
Penetration Testing
We conduct structured security assessments every 6 months, covering API endpoints, authentication flows, and data access paths. Critical findings are remediated within 72 hours and high-severity findings within 14 days. Results are reviewed by the Security Owner.
Data Isolation & AI Privacy
Every seller's data is logically isolated using row-level security. Your advertising data is never mixed with another customer's data, and it is never used to train AI models that benefit other sellers. When AI features process your data, only the minimum required context is sent to our AI provider.
Third-party Subprocessors
We work with a limited set of vetted subprocessors to deliver the service: Supabase (database & authentication — EU/US infrastructure), OpenAI (AI features — data is not used for model training), and Resend (transactional email). All subprocessors are bound by data processing agreements and may not use your data for any other purpose.
Data Residency
Your data is stored on Supabase-managed PostgreSQL databases hosted on AWS infrastructure. Primary storage is in the US East region. If your business requires a specific data residency region, contact us at the support email and we will advise on available options.
Cookies & Local Storage
We use browser local storage solely to maintain your session, remember your language and theme preferences, and store your chatbot conversation history (up to 24 messages). We do not use third-party advertising cookies or tracking pixels. You can clear all stored data at any time through your browser settings — this will sign you out of the platform.
Data Export
You have the right to a full export of your data at any time. To request your export, go to Settings → Account → Export My Data, or email us at the support address below. Exports are delivered as a structured JSON file within 7 business days and include your profile, campaign data, AI query history, and audit logs.
Account & Data Deletion
You may permanently delete your account and all associated data at any time from Settings → Danger Zone → Delete Account. Once confirmed, your personal data, campaign data, Amazon connection, and AI history are permanently erased within 30 days. Anonymized aggregate statistics (no personally identifiable information) may be retained for internal analytics. To request deletion by email, write to the support address below.
Your Control Over Your Data
You stay in charge at all times. You can connect securely through Amazon's official OAuth flow, grant only the permissions the AI agent needs, disconnect M20 from your Amazon account at any time, export your full data on request, and request permanent account deletion whenever you wish. All these actions are available from your account settings without needing to contact us.
Breach Notification
In the unlikely event of a data breach that affects your personal or advertising data, we will notify you by email within 72 hours of confirmed discovery — in line with GDPR requirements. The notification will describe what data was affected, what steps we have taken, and what actions (if any) you should take. We will also notify the relevant supervisory authorities as required by law.
Compliance & Standards
Our controls are aligned with SOC 2 Type II practices, and we honor data protection rights under GDPR and CCPA. Our Amazon integration is a certified SP-API integration. All traffic is encrypted with TLS 1.3, and we undergo a structured security review every 6 months.
Reporting a Security Issue
If you discover a potential security issue, please email our security team at security@m20autopilot.com. We review every report, acknowledge receipt within 24 hours, and respond with our assessment within 5 business days. We are committed to responsible disclosure and will not pursue legal action against good-faith security researchers.
Security team
security@m20autopilot.comSupport
support@m20autopilot.com