Security Responsibilities
Security is shared. SenteRail protects the platform side of enabled products; your team protects your credentials, webhook receivers, customer data, and business-state transitions.
Required Integration Controls
- Store API keys and webhook secrets server-side.
- Separate sandbox and live credentials.
- Verify every SenteRail webhook signature.
- Use idempotency keys for mutating requests.
- Dedupe webhook events before applying state changes.
- Log references without exposing secrets or unnecessary personal data.
- Restrict production credentials to approved environments.
Data Handling
Collect only the data your integration needs. Keep personal data out of logs unless it is required for support, compliance, or reconciliation. Confirm the legal and contractual basis for any customer, member, or identity data you process.
Production Readiness
Before production traffic, confirm:
- credential owner and rotation process
- webhook receiver monitoring
- retry and duplicate-event behavior
- reconciliation owner and schedule
- support escalation path
- legal documents and commercial approval
Legal And Enforcement Layer
Merchant, SACCO, plugin, and partner integrations are governed by the signed agreement and the public Legal Center. SenteRail may require remediation, disable access, rotate credentials, or delay launch where insecure implementation or unsupported use creates risk.