Security overview

Effective date: 2026-05-15

Grove is a service of Infruition LLC. Infruition operates Grove on infrastructure designed to protect the confidentiality, integrity, and availability of your data. This page summarizes the technical and organizational controls we have in place. It is intended to satisfy the security review required by Amazon for Ads API access and to give customers a single reference document.

Encryption in transit

All HTTP traffic to Grove is served over TLS 1.2 or higher with modern cipher suites. Plain HTTP requests are redirected to HTTPS at the edge. Internal traffic between our application servers and the Postgres database is encrypted with TLS using server-validated certificates. Webhooks and outbound API calls (Amazon Advertising, Login with Amazon, OpenAI, Anthropic) are made over TLS only.

Encryption at rest

All customer data in Postgres is encrypted at rest using AES-256 by the storage layer. Database backups inherit the same encryption. Object storage, if used for file uploads, is encrypted with AES-256 at the storage layer and accessed only via short-lived signed URLs.

Credential storage

Amazon Ads API refresh tokens are stored in a single, system-level database table that is unreadable by any tenant role. Only a service-role credential held by our application servers can read or write that table; row-level security blocks all other access. Login with Amazon access tokens are short-lived, cached in memory only, and never written to disk. Application secrets (database service-role key, LWA client secret, Anthropic API key) live in the deployment environment's secret store and are never committed to source control.

Access controls

Grove uses Postgres row-level security to enforce tenant isolation. Every multi-tenant table has policies that restrict select, insert, update, and delete to rows where the tenant_id matches the authenticated user's membership. The application server additionally filters by tenant_id as defense in depth. The service-role credential is used only by trusted server-side code paths (such as the Amazon OAuth callback) and is never exposed to client code.

Authentication

Customer accounts authenticate through Supabase Auth using single sign-on. Sessions are managed via signed, HttpOnly, Secure cookies with SameSite=Lax. Session tokens are rotated on a regular cadence and invalidated on sign-out. Administrative consoles for Supabase and Vercel require multi-factor authentication for every Infruition employee with access.

Network and platform

Grove runs on Vercel, with the database on Supabase, both deployed on AWS in the United States. Edge traffic is filtered for common attack patterns. The database accepts connections only over TLS and only from our application servers and operators. We do not expose direct database access to customers.

Vulnerability management

We run automated dependency vulnerability scans on every push and at least weekly thereafter. Critical and high severity findings are triaged within 24 hours. We patch first-party application code through standard pull request review. We rely on Vercel and Supabase to patch the underlying platform layers within their published service-level commitments.

Penetration testing

We commission an independent third-party penetration test of Grove on an annual cadence. Findings are tracked to remediation and re-tested. The most recent test summary is available to qualified customers under NDA. Until the first external test is complete, we conduct internal black-box and grey-box testing against the same checklist (authentication bypass, broken access control, injection, server-side request forgery, sensitive data exposure, security misconfiguration).

Logging and monitoring

Application logs, database audit logs, and authentication events are retained for 12 months. Logs are scrubbed of secrets before storage. We monitor for anomalous authentication, anomalous query volume on tenant-isolated tables, and unauthorized access attempts to the Amazon tokens table. Alerts page an on-call operator.

Incident response

If we confirm that a security incident has materially affected customer data, we will notify affected customers within 24 hours of confirmation with the facts then known, the steps we have taken to contain the incident, and the remediation we recommend. Our runbook covers detection, triage, containment, eradication, recovery, customer notification, regulator notification where required, and post-incident review. We rotate any potentially exposed credentials within the same response cycle and verify that the rotation took effect.

Backups and recovery

Postgres is backed up by Supabase with point-in-time recovery to a recent window and daily full backups retained for 7 days minimum. We periodically test restoration into a non-production environment to confirm recoverability.

Personnel and access

Production access is limited to Infruition operators who require it for their role. Access is granted using least-privilege role assignments, reviewed at least quarterly, and revoked promptly on offboarding. All operators sign a confidentiality agreement that survives termination.

Subprocessors

Our subprocessors are: Supabase (database and authentication), Vercel (hosting and edge delivery), OpenAI and Anthropic (large language model inference for AI features), Google (sign-in identity provider), and Amazon (advertising data source). We update this list when it changes and will notify customers in advance of material changes.

AI agent controls

Grove uses AI models from OpenAI and Anthropic to draft listing copy, classify search terms, summarize account activity, and (where you have authorized it) take optimization actions on connected Amazon accounts. We comply with Amazon's Selling Partner AI Agent Policy effective March 4, 2026. Every Amazon API call originated by an AI workflow identifies itself in the User-Agent header. We classify every AI action by impact: read-only and low-impact analytical actions run automatically; routine writes within prudent caps (single bid change ≤20%, single negative keyword) run automatically with audit logging; and high-impact actions — price changes greater than 20%, bulk operations on more than 500 ASINs, account configuration, brand registry changes, and FBA inbound or removal orders — require human approval through an in-app queue before execution. Every AI-driven change is logged for 12 months with the model used, the prompt hash, the reasoning, and the approving human (where applicable). A global kill switch halts all AI activity within seconds; it engages automatically on any throttling response, suspected policy violation, or unhandled exception. We do not permit OpenAI or Anthropic to use Amazon data to train or fine-tune their models.

Reporting a vulnerability

If you believe you have found a security vulnerability, please email hello@infruitionmarketing.com with the steps to reproduce. We commit to acknowledging receipt within two business days and to keeping you informed as we triage and fix the issue. We will not pursue legal action against good-faith researchers who follow responsible disclosure practices.