Security Questionnaire

How are users authenticated?

OAuth 2.0 with PKCE via Auth0 identity provider

Industry-standard OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange) as recommended by RFC 8252 for native desktop applications. Users authenticate through Auth0's hosted login page.

Where are credentials stored?

Access tokens stored in memory only (not persisted to disk)

User credentials are never stored by the plugin. OAuth tokens exist only in memory during the session and are cleared on logout. No tokens written to registry, files, or databases. Users must re-authenticate each AutoCAD session.

Is multi-factor authentication supported?

Not currently enabled during Early Access

MFA will be enabled after Early Access via Auth0 tenant configuration. Auth0 supports TOTP authenticator apps, WebAuthn/FIDO2 security keys, and other MFA methods. The plugin does not bypass MFA challenges — when enabled, MFA will be enforced transparently.

Is SSO supported?

Yes, enterprise SSO available (SAML, OIDC)

Auth0 supports enterprise SSO connections including SAML 2.0, OpenID Connect, Active Directory/LDAP, and social providers. Contact sales for enterprise SSO configuration.

How are sessions managed?

JWT access tokens with memory-only storage

Sessions managed via JWT access tokens obtained after authentication. Tokens validated server-side by Leaf Automation APIs. Session ends when user logs out or closes AutoCAD.

Are there any hardcoded credentials in the source code?

No sensitive credentials hardcoded

The Auth0 Client ID is present (public by OAuth design). No client secrets are used (PKCE replaces client secret for native apps). Third-party API keys are being externalized to environment configuration.

What data does the application collect?

User email (licensing), usage telemetry, bug report data (optional)

Data categories: (1) User identity — email from Auth0 token for licensing; (2) Telemetry — feature usage events, machine name, drawing name; (3) Bug reports — design parameters sent only when the user explicitly submits a bug report. No financial data or sensitive PII collected.

Where is data stored locally?

%LOCALAPPDATA%\\LeafDesign\\ containing equipment specification databases

SQLite databases contain only public manufacturer equipment specifications (inverters, modules, cables). User preferences in user.config. Design data stored in user's own DWG files. No PII, credentials, or proprietary data in local databases.

Is data encrypted at rest?

No - local databases contain only public equipment specifications

Local SQLite databases are not encrypted. This is acceptable because they contain only publicly available equipment specifications (inverter and module datasheets). No credentials or PII are stored locally.

Is data encrypted in transit?

Yes - TLS 1.2+ for all external communications

All external API communications use HTTPS with TLS 1.2 or higher. Endpoints include Auth0, Leaf Automation Design API, and Google Cloud telemetry.

Does the application upload CAD files or drawings?

No - CAD files remain local

Project files, drawings, and geometry are never uploaded to our servers. All design work remains on the user's machine. The plugin stores design data as XData within standard AutoCAD DWG files, which the user controls.

How long is data retained?

Local data persists until user deletes; telemetry per Google Cloud policies

Local equipment databases persist until uninstall. User preferences persist until manual deletion. Design data in DWG is user-controlled. Cloud telemetry retained per Google Cloud default policies (typically 30-90 days).

What external services does the application connect to?

Auth0, Leaf Automation Design API, Google Cloud

Auth0 (authentication), api.leafdesign.ai (license validation, feature configuration, bug reports), Google Cloud (telemetry). All connections use HTTPS/TLS 1.2+.

What firewall rules are required?

Outbound HTTPS (port 443) to specified domains

Required outbound access: *.auth0.com, api.leafdesign.ai, *.googleapis.com. No inbound connections required.

Are TLS certificates properly validated?

Yes - uses Windows certificate store, no custom bypasses

Default .NET certificate validation against Windows certificate store. No ServerCertificateValidationCallback override or certificate pinning bypass found in codebase.

Is all network traffic encrypted?

Yes - all external communications use HTTPS

No plaintext HTTP communications to external services. All API endpoints use HTTPS with TLS encryption.

How are third-party dependencies managed?

NuGet packages with version locking

The project uses NuGet packages with explicit version specifications. Dependency updates are reviewed manually before integration. Automated vulnerability scanning being added to CI/CD pipeline.

How is user input validated?

SQL parameterization, trusted file path sources

All SQL queries use parameterized queries (AddWithValue). File paths come only from trusted sources (environment variables, file dialogs). JSON deserialization has TypeNameHandling disabled to prevent deserialization attacks.

Can the plugin access files outside its working directory?

Only via user file selection dialogs

All file paths come from trusted sources: Environment.GetFolderPath(), OpenFileDialog/SaveFileDialog, Path.GetTempPath(). No user-provided strings concatenated into paths. No directory traversal vulnerabilities.

How is the software distributed?

Direct download from Leaf Automation portal during Early Access

Software downloaded from the Leaf Automation portal during Early Access. Manual installation into AutoCAD plugin folder. Version checking available. Autodesk App Store distribution and signed installer planned for general availability.

When was the last security audit?

January 2026

Comprehensive internal security audit covering authentication, data security, network security, input validation, and code quality. 12 detailed audit documents produced. Findings addressed with remediation timelines.

What security frameworks are followed?

CVSS v3.1 scoring, OWASP guidelines, CWE classification

Security audit used CVSS v3.1 for severity scoring, OWASP guidelines for web/API security, and CWE classification for vulnerability categorization.

Is SOC 2 certification available?

Not currently - product is in early access

SOC 2 certification is not currently planned for the early access phase. Will be evaluated for future product maturity based on customer requirements.

Is there a vulnerability disclosure process?

Report to security@leafautomation.ai

Security issues can be reported to security@leafautomation.ai. We will acknowledge receipt and provide updates on resolution.

What is the patch cadence for security updates?

Critical issues addressed immediately; regular updates quarterly

Critical issues: immediate response. High severity: next release (typically 30 days). Medium/Low: quarterly updates. Product is actively maintained during early access.

What PII is collected?

Email address, machine name (for telemetry)

User email from Auth0 authentication (required for licensing). Machine name and drawing name included in usage telemetry. No financial data, health data, or other sensitive categories collected.

Is there a privacy policy?

Yes - available at leafautomation.ai/privacy

Full privacy policy available on website covering data collection, use, retention, and user rights.

Can users opt out of telemetry?

Not during Early Access

Telemetry is required during Early Access to support rapid improvement and error resolution. Opt-out will be available after Early Access.

Is data shared with third parties?

Only with service providers (Auth0, Google Cloud)

Data shared only with essential service providers for authentication and analytics. No data sold to third parties. See privacy policy for full details.