Certification checklist

Some tooltip text!

• 4 minutes to read

 • 4 minutes to read

My application is ready, what should I consider before I ask for a certification test?

Security

• All redirection URLs and all URLs embedded in web panels are secure: run Qualys SSL Labs - SSL Server tests and aim for an A
• SSL 2.0 and 3.0 are disabled
• TLS 1.2 is supported
• All data is validated on input and escaped on output
• The application uses federated authentication and validates all tokens received from SuperOffice

• Absolutely no user credential authentication information is stored in your application
• Visibility restrictions are preserved when you copy data. For example, copied documents with private visibility must remain intact.

Provisioning

• Workflow for giving consent to the tenant is implemented
• The installation process must programmatically set up all elements such as web panels and user-defined fields. Administrators should not have to manually configure any elements post-installation.

Error handling

• The application handles scenarios where access to the customer's database is lost, such as when the application is revoked. Check the tenant status page.
• Have an error handler page. Don't expose your code and display the "Yellow screen of death".

Protect your web panels

• Information doesn't leak via web panels (and thus forwarded to others who are not authorized)
• The context identifier template variable (uctx) and also the User login associate ID (usid) are part of the URL of all web panels you add
• usec is never passed as a parameter in the URL

• Visibility is set to all user groups by default
• The application name and/or your company name is part of the web panel's description

Cookies

• The Secure and HttpOnly flags are set

Limit your searches

• API calls don't choke the database
• Ensure the user types at least 3 characters before you start searching for contacts, persons, email addresses, selections, and similar

System user and important rules

• Never rename the owner company (contact.name field for the company with contact_id found in the Company database table). If you do, our license check fails and all users are locked out!
• Persons may be associates - if they have a row in the associate table then
  • don't update a person's company (person.contact_id)

Warning

You must protect the customer database from total destruction, which will require Online Operations to update the database manually. Use the system user with great caution.

GDPR - creating persons

• When you create a new contact person, you should allow the customer to choose from their own list of Privacy - Source, but you must set a default value - Other integration with key API so it is never left as unknown

GDPR - marketing consent

• The application checks the contact person's e-marketing consent before sending out e-marketing mailings

Language support

• For multi-lingual support, add list items on the NO: "Bil", US: "Car" format

Logging

• You have enabled logging and keep the logs for at least the minimum amount of time, 3 months

Maintenance window

• You will handle unavailability scenarios such as when CRM Online is not available

Tenants

• The application checks the status page of the customer's tenant before performing actions  to ensure stability

Requirements by category

• Business
• Security
• Design
• Marketing
• Technical
• Localization

I'm good to go!

Sign me up for certification