Security Guidelines
Contributors must meet stringent security and privacy requirements to have their plugins integrated into the platform.
Organizational practices for handling sensitive data must be in place:
- Demonstrated compliance with privacy laws, including the PIPEDA act, is mandatory.
- ISO 27001 and/or SOC 2 compliance and certification are encouraged.
Technological safeguards must be in place to secure systems against attacks and data leaks:
- Controls against common vulnerabilities, including the OWASP Top Ten, should be in place.
- Communications between the integrator’s plugin and backend must employ TLS version 1.2 or higher.
- Frequent penetration testing is encouraged.
Access to the Open Innovation API is controlled through mutual TLS, API keys, and IP whitelisting. Controls are segregated by environment, so different certificates, keys, and IP address definitions will be required for user acceptance testing (UAT) and production environments, respectively. Submit a certificate signing request to Central 1 to obtain a mutual TLS certificate and API key.