Partner Security and Responsibilities

Using our API comes with important responsibilities regarding security and data confidentiality. This document outlines best practices and clarifies the responsibilities of partners when using our API.

🔐 Credential Security

Each partner is provided with unique authentication credentials (API keys, tokens, etc.) to access the API. These credentials are strictly confidential and must never be exposed publicly, including but not limited to:

• shared code repositories (e.g., GitHub, GitLab),
• interfaces without proper authentication,
• unsecured logs or log files,
• or any other medium accessible to unauthorized third parties,
• including email exchanges with our team.

You are solely responsible for securely storing and handling these credentials, using environment variables or secure vaults (secrets managers), for example.

🛡️ Recommended Best Practices

To ensure the security of your integrations, we strongly recommend the following:

• Limit the permissions associated with each API key (principle of least privilege).

We restrict your access to the endpoints you require. However, it remains your responsibility to ensure that your calls do not allow access to or manipulation of data you are not authorized to handle.

Limit the data returned by our APIs to only what is strictly necessary for your use case.

• Implement a server-side proxy

Your backend server should handle all communication with the Resamania APIs. This proxy layer helps to:

- Hide the actual API calls being made
- Manage authentication without exposing credentials
- Filter the response to return only relevant information to the end user

• Use the appropriate authentication method

See the dedicated section: our API offers different authentication modes depending on your use case—especially if your application allows end users to interact with the API, directly or indirectly.

• Implement a key rotation mechanism

The API Gateway allows you to rotate your API keys yourself via the developer portal.

• Use API call logs and set up alerts

The API Gateway's developer portal lets you monitor your API call logs and set alerts for error responses (40x, 50x).

• Always validate the source and integrity of exchanged data
• Regularly update your dependencies and libraries to avoid known vulnerabilities

🔄 Revocation and Renewal

In case of credential compromise (or suspected compromise):

1. Immediately revoke the compromised key via the developer portal.
2. Generate a new key.
3. Notify the API team to inform us and receive support.

📄 Data Protection

Partners are responsible for complying with all applicable legal and regulatory obligations regarding data protection, including the GDPR (General Data Protection Regulation) for users located in the European Union.

• Collect and store only the data that is strictly necessary.
• Ensure your systems are designed to protect this data from unauthorized access.
• Any data breach or security incident involving our APIs must be reported to us as soon as possible.

⚠️ Responsibility

Use of our API is the full responsibility of the partner. Any improper use, mismanagement of credentials, or failure to follow security best practices may result in:

• Temporary or permanent suspension of API access,
• and possibly legal action in case of proven damages.

We appreciate your diligence and cooperation in maintaining a secure and reliable ecosystem.

---

For any questions related to security or to report an incident, please contact our team by email.