Build & Add your App to Druva Marketplace
Prepare, validate, and submit your App for Druva Marketplace approval using the app submission workflow and security requirements checklist.
Overview
Use this guide to prepare, validate, and submit your application for Druva Marketplace approval.
You can integrate apps and services with Druva to extend the platform’s capabilities and automate workflows. The approval process follows a structured submission workflow and the Druva Marketplace Security Framework, which helps ensure that marketplace applications meet modern security, privacy, and compliance expectations.
App Submission Workflow
Follow these steps to prepare your integration for review:
-
Set up your environment Create your Sandbox and generate API credentials (Client ID/Secret).
-
Review the security requirements Align your app with the Druva Marketplace Security Framework before you begin implementation.
-
Build your integration Configure your environment and develop the integration.
-
Prepare submission documents Create architecture diagrams and security documentation based on the requirements and checklist in this guide.
-
Validate your app Perform functional testing in the Sandbox and conduct secure code scans such as SAST (static application security testing) and SCA (software composition analysis).
-
Submit for review Submit your integration for Privacy, Legal, and Technical review to [email protected].
App Submission Requirements and Checklist
The Druva Marketplace Security Framework defines the security standards for partner and customer integrations with the Druva platform. It is structured across four core components:
- App Onboarding & Governance: Define scope, baseline security requirements, ownership, and responsibilities before building your integration.
- Secure Software Development Lifecycle (SSDLC): Follow secure design, coding, testing, and deployment practices aligned with OWASP (Open Web Application Security Project) standards and modern development, security, and operations frameworks.
- Privacy, Authorization & Data Protection: Securely handle sensitive data, use strong authentication mechanisms, and comply with relevant data protection regulations.
- Network & Communication Security: Protect network-facing components, APIs, and inter-service communication to prevent unauthorized access and data exfiltration.
Use the requirements below when preparing your submission. Each requirement is classified in one of these categories:
-
MANDATORY
Requirements that must be met for marketplace approval. Failure to comply may result in rejection of the integration.
-
RECOMMENDED
Best practices that strengthen your security posture. These are not required for initial approval, but they may become mandatory in future framework updates or for specific integration types.
Onboarding & Governance
| Requirement | Category |
|---|---|
| App or integration must include documented key technical and security contact details | MANDATORY |
| Provide an architecture diagram that includes auth flows, APIs, data paths or flows, integration points, and security controls | MANDATORY |
| Declare used services (Druva APIs, SDKs, storage endpoints, and so on) | MANDATORY |
| List third-party libraries, software dependencies, and licenses | MANDATORY |
Secure Code, SSDLC & API Security
| Requirement | Category |
|---|---|
| Adhere to secure coding practices such as OWASP Top 10, SANS CWE, and NIST SSDF | RECOMMENDED |
| Conduct code reviews and static code analysis (SAST) | MANDATORY |
| Perform software composition analysis (SCA) to identify vulnerable dependencies | MANDATORY |
| Implement error handling that fails securely and does not expose sensitive information in error messages | MANDATORY |
| Implement positive security models (allowlisting known-safe input) and permit only API calls or parameters that are documented, expected, and validated | MANDATORY |
| Avoid insecure cryptography and open redirects | MANDATORY |
| Implement CSRF protections for state-changing actions | MANDATORY |
| Host all client-side code statically or use CDN subresource integrity (SRI) checks | RECOMMENDED |
| Store API secrets in secure vaults or environment variables, never in code or logs, and rotate API credentials periodically (every 90–180 days) | MANDATORY |
| Implement client-side input validation and API-side server validation; never rely on client-side validation only | MANDATORY |
| Apply output encoding to prevent client-side and server-side attacks in rendered API data | MANDATORY |
| Respect rate limits and retry headers defined by Druva APIs, and implement throttling and retry logic to avoid abuse or misuse | RECOMMENDED |
| Implement comprehensive logging for critical actions with timestamps and tamper resistance, along with integration telemetry | MANDATORY |
| Implement automated security testing in the CI/CD pipeline, including SAST, DAST, and dependency scanning | RECOMMENDED |
| Prevent server-side request forgery (SSRF) by validating and restricting outbound connections | MANDATORY |
| Implement proper session management with secure timeouts and logout mechanisms | MANDATORY |
| Use parameterized queries or prepared statements to prevent SQL or NoSQL injection | MANDATORY |
Authentication, Authorization & Data Privacy
| Requirement | Category |
|---|---|
| Use industry-standard protocols for secure delegated access, such as OAuth 2.0, OpenID Connect, or API tokens | MANDATORY |
| Encrypt data in transit using TLS 1.2 or higher; TLS 1.3 is recommended | MANDATORY |
| Encrypt data at rest using AES-256 or an equivalent industry-standard encryption method | MANDATORY |
| Never store or log secrets, access tokens, passwords, or PII in plaintext | MANDATORY |
| Implement secure key management with proper key rotation, access controls, and HSM usage where applicable | RECOMMENDED |
| Document all sensitive data collected, processed, and stored, including PII, tokens, keys, and regulated data, along with data classification | MANDATORY |
| Disclose data storage locations, jurisdictions, and cloud provider details such as AWS, GCP, or Azure | RECOMMENDED |
| List all third-party services or subprocessors that receive, process, or store user data | RECOMMENDED |
| Mask or tokenize sensitive user data where feasible, such as credit cards or SSNs | RECOMMENDED |
| Define and document data retention policies and secure deletion procedures | MANDATORY |
| Comply with applicable privacy regulations such as GDPR, CCPA, or HIPAA based on user locations and data types | RECOMMENDED |
| Implement user consent mechanisms for data collection and processing with granular controls | MANDATORY |
| Provide mechanisms for data subject rights, including access, rectification, deletion, and portability | RECOMMENDED |
| Use cryptographically secure password hashing such as bcrypt, Argon2, or PBKDF2 with appropriate work factors | MANDATORY |
Network & Communication Security
| Requirement | Category |
|---|---|
| Define and implement a Content Security Policy (CSP) where JavaScript is embedded | MANDATORY |
| Implement secure HTTP headers such as HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy | MANDATORY |
| Use a secure update mechanism with code signing, if applicable | RECOMMENDED |
Post-Approval Requirements & Developer Responsibilities
Once your app is approved based on the security requirements above, you must maintain ongoing compliance with the following requirements:
| Guideline | Details |
|---|---|
| Marketplace apps must not impact Druva's production environment | No attack paths, data leakage, or privilege escalation allowed |
| Sensitive or privileged apps must undergo full security audit | Especially if PII or customer data is processed |
| App teams must maintain an escalation and contact process | Shared with Druva Security for rapid incident response |
| App teams must address security flaws per predefined timelines | Ongoing remediation is required after approval |
Updated 6 days ago