Security
:::info Source
Sourced from services/marketplace-service/SECURITY_MODEL.md in the documentation repo.
:::
1. Authentication
- JWT from identity-service.
- S2S mTLS for billing-service, enrollment-service, content-service interactions.
2. Authorization
Scopes: marketplace:listing:write (provider_admin), marketplace:order:write (authenticated user), marketplace:license:grant (internal), marketplace:admin (platform_admin for moderation).
ABAC: provider can only edit listings for their own tenant; buyer can only see own orders; admin can moderate cross-tenant listings.
3. Multi-Tenant Isolation
- Listings scoped by
providerTenantId. - Orders scoped by
buyerTenantId(may differ from provider). - Licenses scoped by both (provider revenue, buyer ownership).
- RLS enforced per table with complex policies (buyer vs provider perspectives).
4. PCI Scope
- Tokenized cards only; raw card data never touches marketplace.
- Payment tokens from billing-service (PCI DSS compliant) via saga.
- Refund workflows use same tokens; no card storage.
5. KYC (Know Your Customer)
- Provider onboarding requires: business verification, bank details (routing + account), tax ID (W-9/W-8BEN).
- Verification via 3rd-party KYC provider (Persona, Onfido).
- Providers can list after KYC
verified. - PII minimized; raw docs not stored (only verification decision + reference).
6. Revenue Share & Payouts
- 15% platform share (configurable per tenant contract).
- Payouts via billing-service (ACL to Stripe Connect or equivalent).
- Provider payout account data in billing-service, not marketplace.
7. Fraud Prevention
- Velocity checks on orders (same buyer, rapid-fire → flag).
- Unusual pricing flagged (e.g., $0 or $99999).
- 3-D Secure challenge via billing on high-risk orders.
- Refund abuse detection (refund rate > 20% for a buyer → review).
8. Threat Model
| Threat | Mitigation |
|---|---|
| Cross-tenant listing theft (copying content) | Provider IP protection; DMCA takedown flow |
| Fake reviews / rating manipulation | Purchase-gated reviews; anomaly detection |
| Coupon abuse | Per-user usage limits; expiry enforcement |
| Chargeback abuse | 3DS; evidence collection |
| Listing of illegal content | Submitted listings require admin approval for sensitive categories |
| SQL injection via filters | Typed query parser |
| Cross-tenant order access | Buyer tenant match in JWT |
| License privilege escalation | Saga-only grants; no direct license creation API |
9. Audit
- Order placed, payment succeeded, license granted, refund processed — all audit-logged.
- Daily Merkle anchor.
10. Compliance
- PCI DSS scope (SAQ-A via tokenization).
- Tax (Stripe Tax / TaxJar).
- GDPR erasure: orders, reviews, coupon usage.
- FTC revenue disclosure for marketplace (affiliate transparency).