1. Service Scope
Barvinca is a hosted service for Autodesk Platform Services and Autodesk Construction Cloud workflows. The initial Marketplace listing is planned as a token-based web app for Bulk User Manager workflows.
Barvinca is independent from Autodesk and uses Autodesk APIs only as authorized by customers and supported by Autodesk Platform Services.
2. Authentication And Authorization
- Users authenticate through supported Barvinca and Autodesk authorization flows.
- Customer-directed Autodesk workflows require appropriate Autodesk permissions.
- Welcome and paid-access features are gated server-side by token balance or subscription entitlement.
- Administrative tools are separated from customer-facing routes.
3. Credential Handling
- Customer-provided APS Client Secrets and sensitive tokens are not intentionally exposed to browser clients.
- Hosted credentials are encrypted at rest where storage is required.
- Credentials are used only to perform customer-directed workflows.
- Customers may request deletion or disconnection of stored credentials.
4. Transport Security
Barvinca public endpoints are intended to be served over HTTPS. HTTP Strict Transport Security and browser security headers should be enabled for production routes. Secrets should never be sent through email or support tickets.
5. Data Protection
Barvinca applies controls intended to protect customer data, including access controls, encrypted credential storage, request logging for security and diagnostics, rate limiting, abuse protections, audit records for bulk operations, dry-run previews, export controls, and operation history.
6. Infrastructure
The hosted service is designed to run on managed cloud infrastructure, including Cloudflare Workers and related managed storage/routing services. Autodesk APIs are used for customer-directed Autodesk workflows.
7. Logging And Monitoring
Barvinca may log request metadata, operation IDs, tool usage, error messages, event status, and security-relevant events. Logs are used for debugging, abuse prevention, reliability, and support. Barvinca should not log APS Client Secrets, OAuth tokens, passwords, private keys, or complete sensitive payloads.
8. Bulk Operation Safety
Barvinca workflows are designed for operational safety: dry-run previews before supported mutating operations, explicit user approval for changes, item-level operation tracking, retry/skip/success/failure states, exportable operation results, and audit logs for support and review.
9. MCP And AI Assistant Use
If Barvinca MCP is enabled, tool use should be governed by the published MCP manifest and Publisher Declaration. MCP Marketplace publication should be deferred until endpoint, tool list, external endpoints, and security declarations are verified.
10. Vulnerability Disclosure
Report suspected vulnerabilities to security@barvinca.com. Please include affected URL or feature, steps to reproduce, security impact, and any relevant logs or screenshots with secrets removed.
11. Shared Responsibility
Barvinca is responsible for operating the hosted service securely. Customers are responsible for managing Autodesk accounts, licenses, permissions, authorized users, credentials, devices, dry-run review, internal approvals, and compliance with Autodesk terms and applicable laws.