# Security and Data Handling

> This page defines the safety boundaries agents must preserve when implementing Hexagon-related integrations.

## Credential Rules

Keep all Hexagon and merchant credentials server-side. This includes:

- `HEXAGON_API_KEY`
- `HEXAGON_MERCHANT_ID` when it should not be public for the merchant's rollout
- commerce platform tokens
- Shopify, WooCommerce, Magento, VTEX, BigCommerce, or custom backend credentials
- Meta or WhatsApp credentials
- payment provider credentials
- private catalog export URLs

Do not expose these in:

- browser JavaScript
- mobile app bundles
- generated Markdown pages
- public repositories
- logs
- screenshots
- analytics events
- AI prompts sent to third-party systems

## Payment Data

Hexagon provider discovery does not require raw payment credentials. Do not request or handle raw card numbers, CVC, CVV, bank account numbers, or payment secrets in generated code.

If a merchant checkout flow is in scope, use the merchant's advertised tokenized or delegated payment handler. Ask for explicit buyer approval before payment where an agent is acting on behalf of a buyer.

## Product Data

Product data may include commercially sensitive information. Only expose what is needed for the public or channel-specific AI surface:

- public product title and description
- public images
- public canonical URL
- public price when appropriate
- availability where appropriate
- product attributes useful for recommendations

Do not expose supplier cost, private margin, private inventory notes, customer data, or internal merchandising rules unless the merchant explicitly intends that data to be shared through the target surface.

## User and Customer Data

Merchants remain responsible for customer notices, consent, opt-outs, retention, deletion, and support obligations. Do not collect more personal data than the flow needs.

For WhatsApp commerce or messaging, comply with Meta and WhatsApp policies, template rules, opt-in requirements, opt-out handling, and local law.

## Server-Side Proxy Pattern

For browser or mobile applications:

1. The client calls the merchant backend.
2. The merchant backend authenticates the user and validates the request.
3. The backend calls Hexagon or the commerce platform with server-side credentials.
4. The backend returns only safe response data to the client.

Never call Hexagon APIs directly from the browser with private credentials.

## Logging

Logs should not include:

- API keys
- access tokens
- payment credentials
- full customer addresses unless necessary and protected
- raw webhook payloads containing sensitive data
- private product cost or margin data

Log identifiers, status codes, sync counts, and non-sensitive diagnostics instead.

## Related Docs

- [Merchant Integration Guide](https://joinhexagon.com/docs/merchant-integration.md)
- [UCP Discovery Profile](https://joinhexagon.com/docs/ucp.md)
- [WhatsApp Commerce](https://joinhexagon.com/docs/whatsapp-commerce.md)
