How we handle passwords
Handling third-party passwords is a sensitive operation and requires adhering to the highest standards of security and compliance.
Here's how we can ensure best practices:
- Never Store the Passwords: When you use the Free plan you don't need to authenticate at all for most of the supported suppliers. But if you need to decide to send your supplier's username and password, we don't store the passwords, we handle them in transient memory and discard them as soon as they are no longer needed.
- Use Secure Connections: We have HTTPS to encrypt the data as it's transmitted between the client and your server.
- Implemented OAuth or Similar Protocols: This way you can avoid handling passwords directly. These systems provide tokens that can be used for authentication without the need to handle or store user passwords.
- Encrypt the Passwords: In Standard and Premium Plans we must store the passwords for accessing services like Purchase Order, Order Status, Order Shipment Notification, and Invoice. We encrypt those passwords using strong encryption algorithms, and that the keys are securely managed.
- Use Secure Input Fields: On the client side, use password input fields that hide the characters as the user types.
- Apply Proper Access Controls: Limit who has access to the parts of your system where the passwords are being handled. Implement robust logging to track who accessed what and when.
- Regular Security Audits and Compliance: Regularly review and audit your security practices and ensure that they comply with all relevant regulations and standards, such as GDPR or HIPAA.