Charging Forward: Sellix's First Annual Security Report

At Sellix, we believe that a significant part of earning and maintaining any level of trust with our businesses and customers is through transparency of how we handle global operations on our platform. To this end, Sellix has begun to publish annual security reports and will continue to post them for the foreseeable future.

What is Sellix?

From selling, delivering, marketing, to analytics-ing, Sellix is a one-stop platform with all you need to sell digital products successfully. We power ambitious entrepreneurs worldwide and intend to build the world's largest digital e-commerce platform—all with the help of you.

If you sold a product, bought a product, or searched for a product on Sellix, you were part of a community that focuses on unity and cohesion. You're always welcome.

Overview

This report will outline everything from enforcement of our guidelines, attacks on our infrastructure and API, prevention of fraudulent actors, law enforcement requests and more.

You can find more information about how we handle data protection (as well as cookies) here at Sellix in our Privacy Policy.

Fraud Prevention

Sellix stands out from competitors because of its focus on an in-house fraud prevention system. We believe that a robust product that'll eliminate risk & fraud will spearhead our growth.

Last year we announced that we were doubling down on investing more resources into our fraud prevention system. One year later, we were right.

Introducing Sellix Fraud Shield.

Our system blocked and/or flagged 641,000+ transactions when we screened over 3,000,000+ potentially fraudulent orders.

By powering over 300,000+ businesses, our Fraud Shield blocked, prevented, and detected:

81,000+ private blacklists by businesses on their customers
Blocked over 336,000+ customers with a VPN from purchasing products based on business rules
46,000+ TOR users blocked, preventing underground and illicit actors from purchasing products
Over 582,000+ proxies detected and mediated from potential high-level disputes
138,000+ detected customers with ill fraudulent intent
260,000+ BOTs and automated services were blocked

From popular payments methods such as PayPal and Debit/Credit Cards (through our processing partner, Stripe), we were able to identify and block known charge backers (abusing the dispute process):

33,700+ disputes through PayPal were opened in 2021–2022. 15,800+ (47%) were resolved in the business' favour with our order information provided to businesses
56,000+ unique customer details added to our shared business blacklist for known fraudulent customers and charge backers

Once again, we were right. Sellix will continue to make an even more significant investment into our Fraud Shield this year, and we hope we'll crush this with our following annual report.

Platform Compliance

There's a major shift happening in the world of digital e-commerce, and I'm sure we've all felt it. That is why we believe that the security of a platform — one that processes millions of payments for thousands of businesses — is of utmost importance at any time of the day.

We're diving deep into the security of the Sellix platform and our continued willingness in being transparent and open with you and customers.

In 2022, we released our new Report Abuse Form from our traditional email abuse system. This helped us centralize and simplify our moderation efforts by keeping logs of previous infractions. This system also coincides with our Strike System and Business Code of Conduct.

Let's take a look at our progress so far with our new report system:

Over 47,000+ products were taken down due to violations of our code of conduct, selling policies, and copyright infringements
1,800+ unique businesses were terminated by our automated systems
We received a total of 900+ reports around 560+ individual businesses (37% of repeat multiple reports where we took immediate action)
90+ businesses were suspended/banned
10+ businesses were warned/striked

The metrics above are critical. Not only do they measure our global risk operations and how we've been able to deal with content infringing on our policies, but they also shed light on our commitment to transparency.

We will continue to build out our moderation team with a focus on keeping customers safe and establishing a platform built around trust and civility. Read more about our coalition against abuse.

"A platform that doesn't exercise common courtesy and respect is not a platform, but instead an embarrassment. We must realize there are human beings behind each screen."

Information Requests

Sellix will disclose information in response to any valid legal process per our Terms of Service, Privacy Policy, and to the extent consistent with the laws and regulations within the Italian Republic and other applicable laws.

Throughout 2021–2022, Sellix has received 10 law enforcement requests for information of businesses powered by Sellix. We objected to 7 (70% of the requests).

International governmental authorities should use the Mutual Legal Assistance Treaty ("MLAT") request or letters rogatory process to seek business information from Sellix. Sellix will review and respond to correctly submitted preservation requests while the MLAT or letters rogatory process is underway.

Sellix will not disclose business information to any third party without being compelled to the fullest extent of the law as outlined in our Requests for Information Policy.

Account Safety

Keeping your business secure is an essential part of selling on Sellix. Unfortunately, while we recommend several best practices to businesses, not all businesses take these precautions. As a result, some businesses lose access to their funds, products, reviews, and more.

Since our inception, Sellix has rolled out support for two main account security methods: Two-factor authentication (2FA) and Multi-factor authentication (Email). We believe that both of these methods of account protection will keep it from being compromised.

Sellix also supports many other account security measures for our Business customers, including Lockdowns, Detections, Requirements, Sessions, and Trails.

Lockdowns provide an added sense of safety, allowing businesses to lock their accounts to certain countries and block any attempt to sign in if they don't meet those criteria.

Detections, or more, malicious login attempts detect unusual activities with business' accounts and automatically require 2FA when the effort to log in doesn't meet our system standards. Businesses will receive notifications when we detect malicious activities and terminate the fraudulent session.

Requirements present another safety measure for businesses and their team. By enabling requirements, our system will require your team to set up and enable any of our supported security methods: 2FA (OTP) or MFA (Email).

Sessions details a complete list of every login session (active or inactive) since creating the account. Our authentication system works with JSON web token (JWT), which generates a new token every time a user signs in or changes their shop, thus invalidating the previous token.

Trails is a recent introduction where businesses can view a deep dive of every request made to their account, from types (GET, POST) and operations (DELETE, UPDATE, CREATE, GENERAL), where the audit trail logs can be filtered by shop, session, and more.

These account safety features revolve around our continued commitment to bridging the gap between safety and compromise. Sellix strives to build the world's largest (and most accessible) platform to sell digital products. To do so, we must solidify ourselves with the safety of business accounts above all else.

Review Management

In 2021, we introduced our feedback appeal system during an increasing time when reviews and feedback for businesses are ever more important. But, however crucial it is, it's also a time when thoughts can be manipulated and falsified by customers.

We felt that introducing a way for businesses to appeal a competitor's false reviews or ones that contain personal information was crucial in developing a global platform for digital commerce.

In 2022, we updated our guidelines for disputing reviews and further developing on top of our systems for managing feedback appeals. Learn more about our review dispute guidelines.

Here are some of our appeal analytics:

3,400+ review disputes were approved from over 150,000+ global reviews for businesses powered by Sellix
220+ disputed reviews were denied due to reviews being truthful and not in violation of our guidelines
The average review score that was disputed (from a scale of 1–5) was 1.89
Our team took an average of 13 hours to review the appeal of each dispute, in line with our guidelines
11 businesses were banned from disputing reviews due to abusing our dispute/appeal system

Our team thoroughly reviews each review dispute and ensures that they violated our guidelines. In addition, every member of our team that handles review appeals is impartial throughout, providing that no views can alter the final judgement.

Risk Operations

Sellix is committed to operating its business with the utmost integrity and highest ethical standards to ensure security across all boards. As a result, we've put guidelines in place to guarantee customers' safety when purchasing products from Sellix.

Our customers have seen our abuse team convert to "Risk Operations" for the past few months. We made this change to ensure that we're adequately protecting any level of risk towards the Sellix platform. Additionally, our risk operations team members handle abuse reports according to our Business Code of Conduct and Terms of Service.

Over 1,500+ were investigated by our Risk Operations Team and suspended/terminated due to grave policy violations.

Account Deletions

While we're sad to see the businesses that grew with us depart, it's evident that we have a responsibility to comply with the principles underlying the GDPR (the European Union's data protection regulation) and the CCPA (the California Consumer Privacy Act).

Throughout our platforms' history, we've seen:

530+ processed business account deletions
340+ processed user account deletions
55+ pending requests for account deletion

Account deletions are processed within 60 days of the initial request to allow the user to cancel their request. Once we delete any user/business account, all related data and information is also deleted and cannot be retrieved for whatever reason. Learn more about our deletion process.

Copyright Infringement

Our philosophy revolving around stolen or copyright-protected products at Sellix is simple: they aren't allowed.

Sellix is committed to ensuring that goods or services hosted or listed on our platform do not violate or infringe on anyone's intellectual property/copyright.

Please note that:

Only the copyright owner or their authorized representative may file a report of copyright infringement.
We regularly provide the rights owner's name, your email, and the details of your report to the person who posted the content you are reporting.

In 2021–2022, we saw less than 20 legitimate requests for copyright takedowns, and we complied with them all. Our risk operations team also investigates reports internally to ensure that stolen content isn't promoted or hosted through our platform.

We've made our stance on infringement clear, and to learn more, read about our copyright infringement & intellectual property violations article.

Going beyond our platform security report, we'd like to shed a bit more light from our engineering standpoint. When we focused on our engineering teams' operation to keep our platform secure from day one, the results were more than astonishing. We'll continue to keep that commitment.

API

Our API typically receives over 1M+ requests every day, processing requests from over 142 different countries. We saw over 33.6M+ requests in the past month, with 135.22GB+ being transferred.

Our API endpoints haven't traditionally been attacked from Layer 7 DDoS attacks than our Web App. Thanks to our extended and strongly customized rate limits for each endpoint, from authentication to general usage.

Over the past 30 days, our developers API has received over 300,000+ requests and delivered a total of 1,150,000+ in webhook requests.

We've worked tirelessly to develop our API infrastructure the past year by moving from a single dedicated server on a hosting provider to configuring a massive Autoscaling Group powered by AWS, decoupled with AWS RDS (database ops), AWS Elasticache (caching), AWS Lambda (cronjob and/or other functions), AWS SES (email delivery), along with a variety of other services.

Externally, our public and developer endpoints are protected through our frontend by Cloudflare, where internal ones (e.g. api.sellix.internal) are routed directly through Route53 for optimal performance through our multi-region requests coming from our Web App. This enabled us to reduce seconds of API delays on intercontinental requests and Global Accelerator.

Web App

Consistently, our Web App receives over 3.9M+ daily requests (verified and coming from real users) from 200+ different countries. For the past 30 days, we've seen over 351.27M+ requests with 8.02TB+ transferred.

We can confirm that our Web App continues to be a target of Layer 7 DDoS attack every day with over 115.04M+ security threats over the past 30 days, led by:

Indonesia with 3,852,580 requests
China with 2,175,640 requests
Russian Federation with 2,155,030 requests
India with 2,065,124 requests
United States with 2,015,216 requests

The top crawlers that we've been able to identify were:

Facebook with 277 requests
Google with 134 requests
Bing with 72 requests
Twitter with 69 requests
Yandex with 3 requests

In retrospect, our biggest Layer 7 DDoS targeted attack between February 27th and February 28th, 2022, have been 214.10K requests per second which translates to:

12.84M requests per minute
308.30M requests in an hour
7.39B requests in a day

These Layer 7 DDoS attacks targeted our domain directly (sellix.io:443/) and not any of our business customers' domains or subdomains. We've made a more considerable investment to mitigate DDoS attacks, and we've been able to do so with immeasurable success.

As of writing, for the past 30 days, we have seen 100% uptime at zero downtime, allowing us to deliver better experiences for our customers. This uptime can be verified via our Service Health Page.

We've utilized customized rate limit rules for use on our Web App. Our Web App's frontend is also securely powered by Cloudflare and is not using AWS services such as WAF or Shield Advanced.

For the past year, we've been working hard to elevate and upgrade our infrastructure. This highlights our investment in creating an experience limitless to growth; you can learn more about our infrastructure here. We're powered by a Multi-Region, Multi-AZ Elastic Beanstalk Node application connected by AWS Global Accelerator with a complete pipeline.

Every business powered by Sellix and its domain is protected by our rules, mitigation and security policies. This in itself allows us to safeguard our customers' business without impeding their operations.

Contact Us

Sellix is committed to building next-gen tools, features, and products that will only power the future of digital commerce. To learn more about our security apparatus, the privacy of businesses, global infrastructure, and more, you can directly email us at support@sellix.io.

We can't wait to share what we have scaled next year in our annual report. See you next year!

Build Your Empire

Sellix has built one of the world's most powerful platforms for entrepreneurs to sell digital goods online. Our product includes everything needed to build, scale, and operate an online store. We're here to empower the entrepreneurs of tomorrow.

With Sellix, entrepreneurs can deliver products more effectively, connect powerful software tools and services for growth, and offer international support to customers — all within a secure environment.

Sell all types of digital goods and not just files. We can handle videos, serials, dynamics, services, subscriptions, and more!
Accept popular cryptocurrencies in minutes such as Bitcoin, Ethereuem, Litecoin, Bitcoin Cash, Solana, and more!
Receive automatic alerts for chosen actions such as new edits being made to a product or a new order — you don't have to receive thousands of emails.
Sellix offers integrations with Google Analytics, Crisp Chat, Discord, and much more innovative softwares.
Protect yourself from fraudulent buyers with Fraud Shield. Use data points to protect you from known fraudsters.
Keep operations running with guaranteed premium support within 30 minutes.