Information Security Policy
1. Purpose
This Information Security Policy establishes the security principles, responsibilities, and controls applied to Integra3D, a web application that helps sellers manage marketplace listings and orders across Mercado Livre, Shopee, and TikTok Shop.
The policy supports the protection of customer data, marketplace credentials, and business information in line with Brazilian Lei Geral de Proteção de Dados (LGPD) and partner security requirements, including TikTok Shop API compliance.
2. Scope
This policy applies to:
- The production environment hosted on a Virtual Private Server (VPS)
- The Integra3D application (PHP backend, MySQL database, web frontend)
- Marketplace API integrations (Mercado Livre, Shopee, TikTok Shop)
- Development workstations used to build and maintain the system
- Optional local automation components (e.g., TikTok RPA bridge) running on the developer’s or customer’s machine
This policy does not cover infrastructure operated solely by third-party marketplaces (TikTok, Mercado Livre, Shopee).
3. Organizational Context
Integra3D is developed and operated by a single independent software developer based in Brazil.
- No employees, contractors, or third parties have access to production systems, source repositories, or customer databases.
- The developer acts as system administrator, security contact, and privacy contact.
- The organization does not hold ISO 27001, ISO 27701, or SOC 2 certifications.
4. Security Objectives
Integra3D aims to:
- Protect the confidentiality, integrity, and availability of customer and marketplace data
- Prevent unauthorized access to systems and credentials
- Detect and respond to security incidents in a timely manner
- Apply the principle of least privilege across development and production environments
- Comply with applicable Brazilian data protection law (LGPD)
5. Information Classification
| Classification | Examples | Handling |
|---|---|---|
| Public | Marketing pages, public API documentation | May be shared openly |
| Internal | Application source code, deployment scripts | Access limited to the developer |
| Confidential | Customer account data, order information, product drafts | Encrypted in transit; access restricted; deleted when the business relationship ends |
| Restricted | Marketplace OAuth tokens, API secrets, encryption keys, database credentials | Encrypted at rest (marketplace tokens); stored in environment configuration on the server; not logged in plain text |
6. Technical Security Controls
6.1 Network and Transport Security
- All production communications use HTTPS (TLS).
- Marketplace API calls are made server-side over encrypted channels.
- Production database access is not exposed to the public internet.
6.2 Application Security
- User authentication uses password hashing and server-side session tokens.
- Marketplace credentials are stored per user and encrypted at rest using AES-256-GCM.
- Protected API endpoints enforce authentication and user-level authorization so one customer cannot access another’s data.
- Marketplace API proxy routes require a valid Integra3D session before forwarding requests.
- OAuth state tokens are short-lived and tied to the authenticated user.
6.3 Infrastructure Security
- The application runs on a dedicated VPS with firewall rules limiting exposed services.
- Operating system and application components are updated as security patches become available.
- Database backups are maintained for business continuity and protected with the same access restrictions as production.
6.4 Development Environment Security
- Development machines run Windows Defender and Norton Antivirus.
- Source code and secrets are not shared with third parties.
- Production credentials are not used on unsecured or shared devices.
6.5 Local Automation (Optional)
Where a local RPA bridge is used for TikTok Shop workflows, it runs on the user’s machine, communicates over localhost, and does not replace server-side credential storage or HTTPS protections for the web application.
7. Data Handling
- Customer data is collected only for the purpose of providing Integra3D services.
- Data is retained only for the duration of the business relationship and applicable legal obligations.
- Customer data is deleted when the business relationship ends, including account records, marketplace tokens, product drafts, and associated history, unless retention is required by law.
8. Third-Party Services
Integra3D integrates with external marketplace APIs. Data shared with these platforms is limited to what is necessary for listing management, order synchronization, and authorized API operations. Each marketplace maintains its own security and privacy terms.
9. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Developer / Administrator | Implements controls, monitors systems, responds to incidents, reviews this policy |
| Customers | Protect account passwords, authorize marketplace connections, report suspected misuse |
There is no dedicated Data Protection Officer (DPO). Privacy and security inquiries are handled directly by the operator (see Privacy Policy).
10. Policy Compliance
Violations of this policy may result in suspension of customer accounts, revocation of marketplace tokens, or permanent deletion of data.
11. Related Documents
- Privacy Policy
- Personal Information Protection Standard
- Access Control Policy
- Incident Response Policy
12. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | June 2026 | Integra3D | Initial release |
Contact: https://integra3d.recolor.com.br/ — caio_fekete@hotmail.com