Overview
In order to promote your integration to our production environment, we will required the following to be in place:
- Completed Application Review
- Signed Partner Agreement
- Completed Cyber Questionnaire and security assessment
1. Completed Application Review
We will need you to provide the following information to us and walk us through your application and its integration with Class. The following considerations needs to be addressed:
- Architecture diagram. Detailing all components involved in integration
- Security principles. Ensure the following
- All interactions/redirects are made over https.
- Client uses of the state parameter on authorization requests to mitigate CSRF attacks.
- Client requests an appropriate (i.e. minimal) set of permissions via the scope parameter in authorization requests.
- Client utilises refresh tokens where appropriate instead of requiring Class users to click through the authorization process multiple times.
- List of IP addresses from which the requests will originate.
- Request Profile
- Partner to ensure that Client doesn't request data in ways that are likely to place undue load/stress on Class servers.
- Partner to provide a description of request profile, number of expected requests per day, type of request initiation (user triggered, scheduled or batch), time and volume throughout the day.
- Confirmation of maximum requests per 5 minute period.
- Error Handling. Ensure that Client handles errors from the Class API gracefully (including when a Class user cancels the authorization process)
- Details of error handling and retry process - if requests are batched and an error occurred, will a retry initiate a single request to be made again or will the entire process be restarted.
- Details of the back-off handling if any.
- Confirmation that handling of WAF throttle response code HTTP/429 is being handled appropriately and requests will back-off.
2. Signed Partner Agreement
Contact our Partnership Manager to complete.
3. Completed Cyber Review and security Assessment
You will need to complete an assessment/questionnaire to ensure that your integration complies with our standards. Our Partnership manager will facilitate this step to satisfy the group IT Security and Cyber review signoff.
- Partner Information: Detailed information of the Partner, application/product, data centre locations, third parties involved, penetration test frequency, etc.
- Partner Certifications: Which certification do you currently posses verifiable certification or independent audit report. I.e. ISO27001, SSAE16 SOC-1 SOC-2 or SOC-3, PCI-DDS or if you currently a DSP with ATO, to ensure that your integration is compliant.
- Partner Questionnaires: Details about your Application key management, encryption in transit and encryption at rest. MFA, indirect access to data, vulnerability management, audit logging. Additional information about hosting onshore, security monitoring, backups and incident management.
After the security questionnaire is completed, the Class compliance & Cyber security teams will review the assessment. Upon successful review, Class will provide production API keys.
Partners are subject to annual audit of these controls as per the Partner Agreement.