Security review
Ivorycom runs on a federal-portal contract — every marketplace submission carries a security & app review packet, recorded immutably with the review decision.
What a submission requires
| component | requirement |
|---|---|
| Demo video | 3–10 minute walkthrough (https link): install → core flows → uninstall. Reviewers watch it before touching your app. |
| Sandbox attestation | You attest the exact version was installed and verified in a sandbox environment (install, behaviour, one-click uninstall). |
| Security questionnaire | Ten questions; four are mandatory attestations (below). |
| App questionnaire | Purpose, complete data flows, and step-by-step reviewer test instructions (+ optional test credentials). |
Mandatory attestations (non-negotiable)
- Encryption in transit — TLS 1.2+ on every connection touching platform data.
- Encryption at rest — wherever platform data persists on your side.
- 72-hour breach notification — confirmed breaches reported to Ivorycom and affected tenants within 72 hours.
- Tenant-scoped credentials + least privilege — no shared provider keys, no scope creep beyond the declared permissions.
Disclosure questions
| question | what reviewers do with it |
|---|---|
| Do you store platform data? What, where, retention? | Checked against your declared data flows and the listing description. |
| Deletion-on-uninstall window (0–90 days) | Held against the uninstall-cleanup contract; 0 is the strongest answer. |
| Sub-processors (name, purpose, location) | Surface in the review record; tenants under data-residency constraints rely on this. |
| Compliance certifications (SOC 2, ISO 27001, FedRAMP, HIPAA, GDPR DPA) | Not required to publish, but weighed for apps requesting write scopes. |
| Data residency regions | Recorded verbatim in the review record. |
| Vulnerability disclosure URL | Recommended; its absence is noted in review. |
The pipeline end-to-end
submit (manifest + review packet)
→ automated certification # schema, scopes, graphs, webhook safety
→ review team notified by email # packet summary + deep link to the queue
→ security & app review (human) # packet + demo video + test pass
→ published (or changes requested) # decision emailed to the submitter
→ tenant install governance # scope ack → sandbox → prod → 1-click uninstallA submission with an incomplete packet is rejected at the door with 422 REVIEW_PACKET_INCOMPLETE and a per-field issue list — nothing enters the queue without its evidence. Example packets ship with the SDK connectors (examples/*/review-packet.json).