I am writing a mobile app that will access the clover api. The clients concern is security. Lets say he entrusts a said provider with the application what happens if said application deleted all his data? As a third party provider accessing clover, how does one communicate safety to the client so they know their data is protected? Does clover allow deletes in the api? How does one sell trust to a client when they don't know who you are?
Clover applications have a set of permissions (e.g. Order read/write, https://docs.clover.com/clover-platform/docs/permissions). Your application should select only the permissions your application requires. If your application does not require writes, then you should not be selecting any write permissions. When the merchant installs your application they see the permissions your application requires and can choose to either install the application (granting your app the requested permissions) or not.
But does clover verify the assertion of said permissions? It has to be someone other than me because any software provider can say whatever they want but a third party sign off is what i am a looking for. Does clover do that?
If your app does not have, for example, delete permissions on orders but attempts to make an API call to delete orders that call will be denied. Is this what you are asking?
yep. this is a reporting app which is read only so ii am assuming by your statements that the client determines the permissions correct? If so, how do they do that? if they control its predictable for them which is what i need. How do they set those permissions?
Your application will require a certain set of permissions (https://docs.clover.com/clover-platform/docs/permissions) to function correctly. When you create your app you will determine those permissions and you will set them on your app. When the client/merchant goes to install your app they will see the permissions your app requires and will either choose to install and accept granting your app those permissions or not.
You may find our app market terms helpful in answering your other questions - https://www.clover.com/app-market-terms.
If you haven't seen them, we've got an App Approval process where Clover interacts with the application developer, gets the API permissions set properly, and gets the app published into our market. Possibly some of your questions are covered there.
https://docs.clover.com/clover-platform/docs/launch-overview
Part of that process is verifying the application developer legal documents: their privacy policy and terms of service / end user license agreement (TOS/EULA) and that it accords with Clover's data policies - that's separate than the technical questions, of course.
https://www.clover.com/privacy-policy
And a developer cannot access our API without being an approved app in our market, and can only perform the API actions that our reviewers have approved during the App Approval processes. On top of that, many important objects cannot be deleted via the API.
I am uncertain the scope of your question, but we have many limitations on Apps that we control, and this isn't usually a question we run into - only apps approved in our market can access our apis, and financial data is appropriately restricted globally and for each app's use.
Is there a specific scenario that you are running into concerns with? Can you give us further details? Have you applied as a developer, and do you have a technical contact you are working with on the Developer Relations team, if you'd rather not give details in public?
2 People are following this question.
