Security & IT Information
Early AccessTechnical documentation for IT teams evaluating the Branch AutoCAD plugin.
Last security audit: January 2026 | Document version: 2.0 | Updated: February 2026
Authentication
OAuth 2.0 + PKCE
via Auth0
Data Storage
Local Only
No CAD files uploaded
Encryption
TLS 1.2+
All external traffic
Infrastructure
US-Based
Auth0 & Leaf Automation APIs
Product Overview
The Branch plugin is a drafting automation tool that runs as an AutoCAD plugin on Windows workstations. It automates solar construction document drafting — placing strings, routing homeruns, calculating circuit lengths, and generating tags.
What the Plugin Does
- Runs locally within Autodesk AutoCAD (requires user's AutoCAD license)
- Automates solar stringing with voltage window compliance
- Routes homeruns and calculates circuit/cable lengths
- Generates tags and labels directly in AutoCAD drawings
- Imports SolarEdge Designer PDFs for CAD-ready conversion
- Stores design data in standard AutoCAD DWG files (user-controlled)
What Data Leaves the Machine
| Data Type | Destination | Purpose |
|---|---|---|
| User email | Auth0, Leaf Automation APIs | Authentication & licensing |
| Usage telemetry | Google Cloud | Product analytics |
| Bug report data (optional) | Leaf Automation API | User-initiated bug reports only |
Important: CAD files, drawings, and project geometry are never uploaded to our servers. All design work remains local.
Authentication & Access Control
| Item | Implementation | Status |
|---|---|---|
| Authentication Method | OAuth 2.0 Authorization Code with PKCE (RFC 7636) | Secure |
| Identity Provider | Auth0 (Okta) | Secure |
| MFA Support | Not currently enabled. Will be available after Early Access via Auth0 (TOTP, WebAuthn). | Early Access |
| SSO Support | Enterprise SSO available (SAML, OIDC) - contact sales | Informational |
| Credential Storage | Access tokens in memory only; cleared on logout; not persisted to disk | Secure |
| Session Management | JWT access tokens; re-authentication required each AutoCAD session | Secure |
Authentication Flow
- User clicks login in plugin
- System browser opens to Auth0 login page
- User authenticates via Auth0
- Auth0 redirects to localhost callback with authorization code
- Plugin exchanges code for access token using PKCE code verifier
- Access token used for API calls during session
Data Handling
Local Data Storage
| Location | Contents | Sensitivity |
|---|---|---|
| %LOCALAPPDATA%\LeafDesign\ | Equipment specification databases (SQLite) | Public data (manufacturer specs) |
| user.config | User preferences, UI settings | Non-sensitive |
| User's DWG files | Design data stored as AutoCAD XData | User-controlled |
Note: No credentials, tokens, or PII are persisted to local storage. SQLite databases contain only publicly available equipment specifications.
Encryption
| Type | Implementation | Status |
|---|---|---|
| In Transit | TLS 1.2+ for all external API communications | Secure |
| At Rest (Local) | Not encrypted (contains only public equipment data) | Informational |
Telemetry & Analytics
The plugin collects usage telemetry to improve the product. Data collected includes:
- Feature usage events (which commands are used)
- User email (for license correlation)
- Machine name (for installation analytics)
- Drawing name (for usage context)
Telemetry is transmitted to Google Cloud. There is no opt-out mechanism during Early Access to support rapid improvement and error resolution. Opt-out will be available after Early Access.
Network & External APIs
External Connections
| Service | Purpose | Protocol | Auth |
|---|---|---|---|
| Auth0 | User authentication | HTTPS/TLS 1.2+ | OAuth 2.0 PKCE |
| api.leafdesign.ai | License validation, feature configuration, bug reports | HTTPS/TLS 1.2+ | Bearer token |
| Google Cloud | Telemetry | HTTPS/TLS 1.2+ | Service account |
All external communications use HTTPS. No HTTP-only endpoints. Certificate validation uses the Windows certificate store (no custom bypasses).
Firewall Requirements
The plugin requires outbound HTTPS (port 443) access to:
- *.auth0.com
- api.leafdesign.ai
- *.googleapis.com
Compliance & Security Audit
Audit Summary
A comprehensive security audit was conducted in January 2026 covering authentication, data security, network security, input validation, and code quality.
Verified Secure
- PKCE OAuth implementation (RFC 7636 compliant)
- Token storage (memory-only, cleared on logout)
- TLS certificate validation (no bypass)
- SQL queries (all parameterized)
- File path handling (trusted sources only)
- JSON deserialization (TypeNameHandling disabled)
- Bearer token authentication (properly implemented)
Current Limitations (Early Access)
The following items have been identified and are being addressed:
| Item | Status | Timeline |
|---|---|---|
| Telemetry opt-out mechanism | Early Access | After Early Access |
| MFA enforcement | Early Access | After Early Access |
| SOC 2 certification | Informational | Not currently planned |
Downloads
Security Contact
For security questions, custom questionnaires, or to report vulnerabilities:
Email: security@leafautomation.ai
General Inquiries: contact@leafautomation.ai