Security Guidelines

Understand LocallyGrown's security architecture, best practices for secure integrations, and how to protect sensitive data when building applications and integrations.

Security Architecture Overview

LocallyGrown implements a comprehensive security framework designed to protect customer data, payment information, and business operations. Our security approach follows industry best practices and compliance standards.

🔐 Authentication & Authorization

Multi-factor authentication, role-based access control, and secure session management protect against unauthorized access.

🛡️ Data Protection

End-to-end encryption, secure data storage, and privacy controls ensure sensitive information remains protected.

🔍 Monitoring & Detection

Real-time security monitoring, threat detection, and automated incident response protect against emerging threats.

✅ Compliance

PCI DSS compliance for payment processing, GDPR compliance for data privacy, and SOC 2 certification for security controls.

Authentication Methods

API Key Authentication

Primary method for server-to-server integrations:

  • Secret keys - Use secret keys for server-side operations
  • Publishable keys - Use publishable keys for client-side operations
  • Key rotation - Regularly rotate API keys for security
  • Environment separation - Use different keys for development and production

API Key Usage Example

// Server-side API call with secret key
const response = await fetch('https://api.locallygrown.net/v1/orders', {
  headers: {
    'Authorization': 'Bearer sk_live_abc123...',
    'Content-Type': 'application/json'
  }
});

// Client-side operation with publishable key
const stripe = Stripe('pk_live_xyz789...');

OAuth 2.0

Secure third-party application access:

  • Authorization code flow - For web applications
  • Client credentials flow - For service-to-service communication
  • Scoped access - Limited permissions based on granted scopes
  • Token expiration - Access tokens expire automatically

OAuth 2.0 Flow Example

// Step 1: Redirect user to authorization URL
const authUrl = 'https://auth.locallygrown.net/oauth/authorize?' +
  'client_id=your_client_id&' +
  'response_type=code&' +
  'scope=read_orders write_products&' +
  'redirect_uri=https://yourapp.com/callback';

// Step 2: Exchange authorization code for access token
const tokenResponse = await fetch('https://auth.locallygrown.net/oauth/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    client_id: 'your_client_id',
    client_secret: 'your_client_secret',
    code: 'authorization_code',
    grant_type: 'authorization_code'
  })
});

Data Encryption

Encryption in Transit

  • TLS 1.3 - All API communications encrypted with latest TLS
  • Certificate pinning - Additional protection against man-in-the-middle attacks
  • HSTS headers - Enforces HTTPS connections
  • Perfect forward secrecy - Session keys are not compromised if private keys are exposed

Encryption at Rest

  • Database encryption - All databases encrypted with AES-256
  • File storage encryption - Documents and images encrypted in storage
  • Key management - Encryption keys managed with AWS KMS
  • Field-level encryption - Additional encryption for sensitive fields like payment data

Best Practices for Developers

  • Always use HTTPS - Never send sensitive data over HTTP
  • Validate certificates - Don't ignore SSL certificate warnings
  • Use secure random generators - For generating tokens and secrets
  • Hash passwords - Use bcrypt or similar secure hashing algorithms
  • Encrypt sensitive data - Encrypt PII and payment information

Access Control

Role-Based Access Control (RBAC)

LocallyGrown implements granular permissions based on user roles:

Market Manager

  • Market administration
  • User management within market
  • Financial reporting
  • Configuration settings

Grower

  • Product management
  • Order fulfillment
  • Sales reporting
  • Customer communication

Customer

  • Product browsing
  • Order placement
  • Account management
  • Order history

API Permissions

API access is controlled through scoped permissions:

  • read:orders - View order information
  • write:orders - Create and modify orders
  • read:customers - Access customer data
  • write:products - Manage product catalog
  • read:analytics - Access reporting data

Payment Security

PCI DSS Compliance

LocallyGrown maintains PCI DSS Level 1 compliance through our payment processor partnerships:

Secure Network

  • Firewall protection for cardholder data
  • Secure network architecture
  • Regular security assessments

Data Protection

  • Strong encryption for cardholder data
  • Secure key management
  • Limited data retention

Access Control

  • Unique user IDs for each person
  • Multi-factor authentication
  • Regular access reviews

Monitoring

  • Continuous network monitoring
  • Regular security testing
  • Incident response procedures

Secure Payment Processing

  • Tokenization - Card numbers replaced with secure tokens
  • 3D Secure - Additional authentication for online card payments
  • Fraud detection - Machine learning algorithms detect suspicious transactions
  • Secure webhooks - Payment events delivered with verified signatures

API Security Best Practices

Secure API Integration

  • Use HTTPS everywhere - Never send API keys over HTTP
  • Validate webhook signatures - Verify all incoming webhook events
  • Implement rate limiting - Protect against abuse and attacks
  • Input validation - Sanitize and validate all input data
  • Error handling - Don't expose sensitive information in error messages

API Key Management

✅ Do

  • Store API keys in environment variables
  • Use different keys for different environments
  • Rotate keys regularly (every 90 days)
  • Monitor API key usage
  • Restrict API key permissions to minimum required

❌ Don't

  • Hard-code API keys in source code
  • Share API keys via email or chat
  • Use production keys in development
  • Log API keys in application logs
  • Use the same key across multiple applications

Secure API Key Storage

// ✅ Good: Environment variable
const apiKey = process.env.LOCALLYGROWN_API_KEY;

// ✅ Good: Secure configuration
const config = {
  apiKey: process.env.LG_SECRET_KEY,
  apiUrl: process.env.LG_API_URL || 'https://api.locallygrown.net/v1'
};

// ❌ Bad: Hard-coded in source
const apiKey = 'sk_live_abc123...'; // Never do this!

// ❌ Bad: Committed to version control
const config = {
  apiKey: 'sk_live_xyz789...' // Don't commit secrets!
};

Webhook Security

Webhook Signature Verification

Always verify webhook signatures to ensure authenticity:

Signature Verification Implementation

const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  // Extract the timestamp and signatures from the header
  const elements = signature.split(',');
  const timestamp = elements.find(el => el.startsWith('t=')).split('=')[1];
  const signatures = elements.filter(el => el.startsWith('v1='));

  // Create the signed payload
  const signedPayload = timestamp + '.' + payload;

  // Create expected signature
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(signedPayload, 'utf8')
    .digest('hex');

  // Compare signatures
  return signatures.some(sig => {
    const providedSig = sig.split('=')[1];
    return crypto.timingSafeEqual(
      Buffer.from(expectedSignature, 'hex'),
      Buffer.from(providedSig, 'hex')
    );
  });
}

// Express.js middleware example
app.post('/webhook', express.raw({type: 'application/json'}), (req, res) => {
  const signature = req.headers['locallygrown-signature'];
  const payload = req.body;

  if (!verifyWebhookSignature(payload, signature, process.env.WEBHOOK_SECRET)) {
    return res.status(401).send('Unauthorized');
  }

  // Process webhook safely
  res.status(200).send('OK');
});

Webhook Security Checklist

  • ✓ Always verify webhook signatures
  • ✓ Use HTTPS endpoints only
  • ✓ Implement idempotency to handle duplicate events
  • ✓ Log webhook events for debugging
  • ✓ Handle webhook secrets securely
  • ✓ Implement proper error handling
  • ✓ Rate limit webhook endpoints

Data Privacy and GDPR

Data Protection Principles

  • Data minimization - Collect only necessary personal data
  • Purpose limitation - Use data only for stated purposes
  • Storage limitation - Retain data only as long as necessary
  • Accuracy - Keep personal data accurate and up to date
  • Security - Implement appropriate technical safeguards

User Rights

Right to Access

Users can request copies of their personal data

Right to Rectification

Users can correct inaccurate personal data

Right to Erasure

Users can request deletion of their personal data

Right to Portability

Users can export their data in a structured format

Privacy by Design

  • Default privacy settings - Most restrictive settings by default
  • Explicit consent - Clear opt-in for data processing
  • Data anonymization - Remove or pseudonymize personal identifiers
  • Regular audits - Review data handling practices

Security Monitoring

Threat Detection

  • Anomaly detection - Machine learning identifies unusual patterns
  • Failed login monitoring - Track and block brute force attempts
  • API abuse detection - Identify and mitigate API attacks
  • Geographic restrictions - Block access from suspicious locations

Incident Response

  • 24/7 monitoring - Continuous security monitoring
  • Automated alerts - Immediate notification of security events
  • Incident classification - Severity-based response procedures
  • Forensic analysis - Detailed investigation of security incidents

Security Monitoring Tools

  • SIEM systems - Centralized security event monitoring
  • Intrusion detection - Network and host-based monitoring
  • Vulnerability scanning - Regular security assessments
  • Penetration testing - Annual third-party security testing

Security Compliance

Compliance Standards

SOC 2 Type II

Independent audit of security controls and processes

  • Security principles
  • Availability controls
  • Processing integrity
  • Confidentiality measures

PCI DSS Level 1

Highest level of payment card security compliance

  • Secure network architecture
  • Strong access controls
  • Regular monitoring
  • Information security policy

GDPR Compliance

European data protection regulation compliance

  • Lawful basis for processing
  • Data subject rights
  • Privacy by design
  • Data breach notification

Regular Assessments

  • Annual audits - Independent security assessments
  • Quarterly reviews - Internal security reviews
  • Continuous monitoring - Ongoing security validation
  • Compliance reporting - Regular compliance status updates

Reporting Security Issues

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email security team - [email protected]
  • Provide details - Clear description and reproduction steps
  • Allow time to fix - Give reasonable time for remediation
  • Avoid public disclosure - Don't publish vulnerabilities publicly

Bug Bounty Program

LocallyGrown operates a private bug bounty program with select security researchers. Qualified vulnerabilities are eligible for rewards based on severity and impact.

🚨 Security Contact: For urgent security issues, contact our security team immediately at [email protected] or call our 24/7 security hotline.

Security First Development

Security is everyone's responsibility. Follow these guidelines and stay informed about emerging threats to keep LocallyGrown secure for all users.

Webhook Security Secure Integrations Troubleshooting