Encryption in transit
Production traffic is served over HTTPS so data moving between the browser, application and external services is encrypted in transit.
D3 Seller applies practical controls in the product architecture without claiming certifications or audit statuses that have not been verified.

These statements reflect the current application architecture and codebase.
Production traffic is served over HTTPS so data moving between the browser, application and external services is encrypted in transit.
Amazon and Noon connector credentials and tokens are encrypted before database storage and are not returned to the user interface.
Signed sessions identify the panel, user, role and tenant. Client roles are checked against operations, finance and administration areas.
Protected client routes resolve tenant context from the authenticated session, and tenant-scoped records require that context.
Session keys, connector encryption keys, marketplace credentials and email keys are supplied through runtime environment variables, not source code.
The data model records tenant and platform actions for access, connectors, inventory, costing, purchasing, exports and owner operations.
Session cookies are signed, HTTP-only, same-site and secure in production, with panel separation between client and SaaS owner controls.
Support and owner connector views expose status and job metadata without displaying decrypted marketplace credentials.
Security reports are triaged, access or connector credentials can be revoked, and affected services can be paused while an issue is investigated.
Dependencies, application changes and exposed routes are reviewed as part of maintenance. Responsible disclosures can be sent directly to the security team.
Marketplace buyer information is limited to the operational purpose for which it is received and is not sold or used for advertising.
Records are kept only for account operation, financial evidence, legal obligations and security needs, then deleted or anonymized when no longer required.
Include the affected URL or feature, a clear description, steps to reproduce and the potential impact. Do not access or alter data that does not belong to you.
This page does not claim ISO 27001, SOC 2, PCI DSS or government accreditation. When an independent certification or audit is completed, the exact scope and date can be published here.
Ask for a focused review of marketplace authorization, credential storage, tenant access and role boundaries.