Neighborly Software Logo

Neighborly Software API

Security Overview

Authentication and Authorization

The API uses the OAuth 2.0 Client Credentials Grant to authenticate machine-to-machine applications. Each application is issued a Client ID and Client Secret via the Developer Portal.

Access tokens:

  • Are short-lived (60 minutes)
  • Do not support refresh tokens
  • Should be refreshed proactively (e.g., every 30 minutes or based on the exp claim)

Tokens provide scoped access to resources based on Access Levels defined during application registration. These scopes allow fine-grained control over what data an application can access.

If a client secret is compromised:

  • Developers can rotate credentials in the Developer Portal
  • Tech Admins can revoke access at the tenant or application level

Access Control and Data Sensitivity

Administrators should note:

  • Developers may access and manipulate tenant data via API
  • API responses may contain PII (Personally Identifiable Information)
  • Tenants are responsible for validating applications
  • Follow least privilege practices when granting access

Rate Limiting and Quotas

To protect the system and ensure fair use, the following limits are enforced per tenant:

  • Rate Limit: 60 requests/minute
  • Monthly Call Quota: 50,000 calls
  • Monthly Bandwidth Quota: 50 MB

Once a tenant exceeds any of these limits, the API returns an HTTP 429 Too Many Requests response. No further requests are processed until usage drops back below the limit or the quota resets.

Audit Logging

All API activity is fully audit logged to support forensic analysis and compliance:

  • Logs include request/response metadata
  • Body content is logged only for error responses to reduce data exposure

Developer Responsibilities

Developers integrating with the API must:

  • Securely store credentials (Client ID and Secret)
  • Monitor token usage and expiration
  • Define access scopes using least privilege
  • Rotate credentials immediately if compromised

Data Protection

Transport Security

All API traffic must use HTTPS with TLS 1.2 or higher. The API enforces:

  • Automatic redirection from HTTP to HTTPS
  • HTTP Strict Transport Security (HSTS) headers

Best practices:

  • Never disable SSL/TLS validation
  • Mobile apps: Use certificate pinning
  • Server-to-server: Validate certificate chains and trust stores

Data Encryption

All sensitive data is encrypted:

  • In transit and at rest using AES-256 or stronger
  • PII fields are encrypted at the field level

Security measures:

  • Encryption follows FIPS 140-2 standards
  • Rotate encryption keys on a regular schedule
  • Store cached data securely and avoid logging sensitive data in plain text

Security Testing & Compliance

Penetration Testing

  • Quarterly third-party penetration tests
  • Additional tests prior to major releases

Security testing includes:

  • Static code analysis
  • Dynamic application security testing (DAST)
  • Automated vulnerability scanning

Consumers should also:

  • Run their own vulnerability scans
  • Include security checks in CI/CD pipelines
  • Use the sandbox environment for safe testing

Compliance Standards

The API complies with:

  • SOC 2 Type II
  • State-level government standards
  • NIST Cybersecurity Framework

Annual compliance audits and documentation support customer regulatory requirements. Built-in features include:

  • Audit logging
  • Data retention controls

Responsible Disclosure Program

We encourage responsible reporting:

  • Submit vulnerabilities via our responsible disclosure program
  • Avoid public disclosure
  • Collaborate with our team for resolution

Security advisories are shared along with recommended mitigations.

Security Best Practices for Consumers

Token Storage

Do not store credentials in:

  • Client-side code
  • Version control
  • Browser storage (local/session storage)

Use secure methods:

  • Environment variables
  • Encrypted config files
  • Secrets managers like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault

For mobile apps:

  • Use iOS Keychain or Android Keystore

For web apps:

  • Use HTTP-only secure cookies for session tokens

Access Control and Key Rotation

  • Treat credentials as highly sensitive
  • Use Role-Based Access Control (RBAC)
  • Automate credential rotation
  • Monitor and audit usage
  • Revoke compromised keys immediately
  • Use scoped keys to limit risk

Secure Communication and Data Handling

  • Always use HTTPS with proper certificate validation
  • Never disable certificate checks

Implement:

  • Sanitization of API responses
  • Input validation for all user inputs
  • Process only the required data fields

Application Security Controls

Implement:

  • CSRF protection (tokens, SameSite cookies, Origin validation)
  • Content Security Policy (CSP) headers
  • Avoid using unsafe JavaScript functions like eval(), innerHTML, document.write()

Use safer alternatives:

  • textContent
  • createElement()
  • Templating libraries with built-in XSS protection

Ensure:

  • Proper error handling without exposing internal details
  • Monitoring and alerting for security-related events
Last modified on