Security
Security as a prerequisite, not an option.
PunchOut integrations carry sensitive data: technical credentials, contractual catalogs, orders. Gatebold protects every exchange with demanding security standards.
Exchange protection
Every call between the connector and the platform is signed and verified.
HMAC-SHA256 signatures
Every call between the Magento connector and the Gatebold platform is signed with HMAC-SHA256. The secret never travels over the network.
Signed JWT sessions
PunchOut sessions are protected by signed JWT tokens. No manipulable session cookies.
AES-256-GCM encrypted secrets
Shared secrets and credentials are encrypted at rest with AES-256-GCM. Never stored in plain text - unlike modules that put them in core_config_data.
Show-once credentials
Technical credentials are displayed only once at creation. Impossible to view again afterwards - even for an admin.
XXE protection
Incoming XML payloads are analyzed and sanitized to prevent XXE (XML External Entity) attacks. No external entities resolved.
Strict cXML and OCI validation
The critical fields of every cXML or OCI request (From, To, Sender, SharedSecret, etc.) are validated before processing. No malformed payload gets through.
Infrastructure
Isolation, traceability, hosted in France.
Isolated multi-tenant architecture
Each client has their own space, their own users, their own environments (sandbox / production). One client's data is never accessible to another.
Complete audit trail
Every action is logged: connection creation, mapping change, cXML or OCI exchange, error. The audit trail is browsable in the portal and exportable.
Rate limiting
Protection against abuse: rate limiting per IP and per connection. Excessive attempts are blocked automatically.
Data hosted in France
Infrastructure hosted in France, GDPR compliant. No data transfer outside the EU for PunchOut transaction processing.
Security questions?
We respond to security questionnaires from enterprise clients and IT departments. Write to us for technical details.