VVeyraSecurity
Marketplace evidence · Amazon SP-API

Data Transfer Mechanism evidence pack, assembled to the documentation an Amazon SP-API reviewer expects.

Veyra prepares Amazon SP-API Data Transfer Mechanism evidence packs as part of a gray-box API security assessment. The pack is assembled to the documentation expected by the Amazon SP-API reviewer and includes scope, methodology, findings, remediation verification, and reviewer-named independence disclosure.

Why this exists

The reviewer wants a current, dated, reproducible assessment of the public-facing APIs in scope.

Amazon SP-API approval requires a Data Transfer Mechanism Inquiry submission backed by a current penetration test of the APIs that touch Amazon-restricted data. The assessment is gray-box, manually validated, scoped to the listed PRE.4.9 APIs, and delivered with severity scoring, remediation status, and an independence disclosure that the reviewer can verify.

Veyra's evidence pack is the assembled artifact: the executive summary, the technical report, the retest letter, and the marketplace-mapped evidence index — packaged with the response language used in the SP-API questionnaire so the submission is consistent with the report.

What Veyra is — and is not

Aligned to Amazon SP-API requirements. Not Amazon-affiliated.

The deliverable is described as “aligned to Amazon SP-API requirements,” and the language used in the executive summary mirrors that phrasing. The relationship between Veyra and Amazon is described accurately on every artifact.

Non-affiliation statement

Veyra Security is not Amazon-approved, Amazon-certified, or an Amazon partner. The engagement is an independent application/API penetration test performed by Veyra Security, operated by ARK Solutions LLC. The deliverable is aligned to the documentation expected by the Amazon SP-API reviewer; no implied or claimed affiliation with Amazon exists.

What is in the pack

Eight artifacts, mapped to the SP-API questionnaire.

  • Doc 01
    Executive summaryTwo-page reviewer-safe summary. Findings counts. Remediation status. Independence statement repeated verbatim from the technical report.
  • Doc 02
    Technical reportFull findings, evidence, severity rationale, reproduction steps. Source Serif 4, archive-ready PDF, OWASP-mapped coverage matrix.
  • Doc 03
    SP-API mappingEach PRE.4.9 listed API/URL: included in pentest, technical-report section, notes. Used as the questionnaire's evidence anchor.
  • Doc 04
    Amazon coverage matrixEach Amazon coverage area (auth, authz, token handling, restricted data paths): covered, technical-report reference, notes.
  • Doc 05
    Retest letterSeparately dated artifact confirming remediation against named commits or releases. Required before submission if any critical/high finding was open at first delivery.
  • Doc 06
    Independence disclosureRelationship between Veyra and the engaging client, named reviewer when applicable. Same text on the executive summary, the technical report, and this pack.
  • Doc 07
    Response languageSuggested verbatim text for the SP-API questionnaire fields, mirroring the executive summary so the submission and the evidence agree.
  • Doc 08
    Submission checklistFilename conventions, attachment list, dates, and signoff stamps required by the Amazon submission flow at time of pack assembly.
Operating method

Standard method, marketplace-shaped output.

The pack is the outer shell. The engagement underneath is the Veyra gray-box API methodology — same authorized scope, same manual validation, same severity model, same evidence pack standard.

  1. Step 01

    Intake

    You describe the application, the SP-API roles requested, and the PRE.4.9 listed APIs/URLs. The Amazon submission deadline anchors the engagement window.

  2. Step 02

    Mutual NDA

    Signed before any sensitive scope crosses. Out-of-band, countersigned PDF.

  3. Step 03

    SOW · ATT · ROE

    Statement of Work, Authorization to Test, Rules of Engagement countersigned before any traffic is sent. Includes SP-API-specific authorizations.

  4. Step 04

    Active testing

    Gray-box, authenticated, against the agreed environment. OWASP API Security Top 10, ASVS L2 controls, restricted data path review.

  5. Step 05

    Pack assembly & retest

    Technical report, executive summary, SP-API mapping, response language. One free retest. Final pack delivered ready for SP-API submission.

Next step

Describe the SP-API submission deadline and the listed APIs in scope.

Engagement requests receive a reply from a named assessor within one business day.

Read a sample reportRequest an engagement