My application is ready, what should I consider before I ask for a certification test?
- Workflow for giving consent to the tenant is implemented
- The installation process must programmatically set up all elements such as web panels and user-defined fields. Administrators should not have to manually configure any elements post-installation.
- The application handles scenarios where access to the customer's database is lost, such as when the application is revoked. Check the tenant status page
- Have an error handler page. Don't expose your code and display the "Yellow screen of death".
Protect your web panels
- Information doesn't leak via web panels (and thus forwarded to others who are not authorized)
- The context identifier template variable (uctx) and also the User login associate ID (usid) are part of the URL of all web panels you add
- usec is never passed as a parameter in the URL
- Visibility is set to all user groups by default
- The application name and/or your company name is part of the web panel's description
- The Secure and HttpOnly flags are set
Limit your searches
- API calls don't choke the database
- Ensure the user types at least 3 characters before you start searching for contacts, persons, email addresses, selections, and similar
System user and important rules
- Never rename the owner company (contact.name field for the company with contact_id found in the Company database table). If you do, our license check fails and all users are locked out!
- Persons may be associates - if they have a row in the associate table then
- don't update a person's company (person.contact_id)
- don't update a person's email address if the customer is not yet using SuperId
- don't add the same email address to multiple persons who are associates if the customer is not yet using SuperId
You must protect the customer database from total destruction, which will require Online Operations to update the database manually. Use the system user with great caution.
GDPR - creating persons
- When you create a new contact person, you should allow the customer to choose from their own list of Privacy - Source, but you must set a default value - Other integration with key API so it is never left as unknown
GDPR - marketing consent
- The application checks the contact person's e-marketing consent before sending out e-marketing mailings
- You will handle unavailability scenarios such as when CRM Online is not available
- The application checks the status page of the customer's tenant prior to performing actions to ensure stability
I'm good to go!
Sign me up for certification