Legal

Security Overview

Security practices for Barvinca hosted services.

Last updated: 2026-07-09

1. Service Scope

Barvinca is a hosted service for Autodesk Platform Services and Autodesk Construction Cloud workflows. The initial Marketplace listing is planned as a token-based web app for Bulk User Manager workflows.

Barvinca is independent from Autodesk and uses Autodesk APIs only as authorized by customers and supported by Autodesk Platform Services.

2. Authentication And Authorization

3. Credential Handling

4. Transport Security

Barvinca public endpoints are intended to be served over HTTPS. HTTP Strict Transport Security and browser security headers should be enabled for production routes. Secrets should never be sent through email or support tickets.

5. Data Protection

Barvinca applies controls intended to protect customer data, including access controls, encrypted credential storage, request logging for security and diagnostics, rate limiting, abuse protections, audit records for bulk operations, dry-run previews, export controls, and operation history.

6. Infrastructure

The hosted service is designed to run on managed cloud infrastructure, including Cloudflare Workers and related managed storage/routing services. Autodesk APIs are used for customer-directed Autodesk workflows.

7. Logging And Monitoring

Barvinca may log request metadata, operation IDs, tool usage, error messages, event status, and security-relevant events. Logs are used for debugging, abuse prevention, reliability, and support. Barvinca should not log APS Client Secrets, OAuth tokens, passwords, private keys, or complete sensitive payloads.

8. Bulk Operation Safety

Barvinca workflows are designed for operational safety: dry-run previews before supported mutating operations, explicit user approval for changes, item-level operation tracking, retry/skip/success/failure states, exportable operation results, and audit logs for support and review.

9. MCP And AI Assistant Use

If Barvinca MCP is enabled, tool use should be governed by the published MCP manifest and Publisher Declaration. MCP Marketplace publication should be deferred until endpoint, tool list, external endpoints, and security declarations are verified.

10. Vulnerability Disclosure

Report suspected vulnerabilities to security@barvinca.com. Please include affected URL or feature, steps to reproduce, security impact, and any relevant logs or screenshots with secrets removed.

11. Shared Responsibility

Barvinca is responsible for operating the hosted service securely. Customers are responsible for managing Autodesk accounts, licenses, permissions, authorized users, credentials, devices, dry-run review, internal approvals, and compliance with Autodesk terms and applicable laws.