Zoom Marketplace Technical Design Guide

This document provides the specific data and justifications required to fill out the Technical Design section during your Zoom App Marketplace submission.

🛠️ Technology Stack

Section Description: Describe in detail all of the technology, libraries and APIs used by the application.

The KiviCare Telemedicine Addon is built as a WordPress plugin. Its technology stack includes:

• Backend Core: PHP 8.1+ (running within the WordPress ecosystem).
• APIs: Zoom Meeting API v2 (REST) for meeting lifecycle management.
• Authentication: OAuth 2.0 (User-managed) and Server-to-Server OAuth.
• Data Persistence: MySQL (via WordPress wpdb).
• Communication: GuzzleHttp / WordPress WP_Http for secure API requests.
• Frontend Layer: React.js (KiviCare Dashboard) for high-interaction user interfaces.

📐 Architecture Diagram

Section Description: Provide an architectural diagram with additional flow diagrams.

(Visual Recommendation: Use the “Architecture Diagram Description” provided in the previous section or the prompt generated for Figma to create this image.)

System Components:

1. WordPress Plugin Layer: Orchestrates the logic between KiviCare appointments and Zoom API.
2. Mapping Service: A dedicated table wp_kc_appointment_zoom_mappings that links local business IDs to Zoom universal IDs.
3. Authentication Handler: Manages the OAuth handshake and token persistence (rotating Access/Refresh tokens).

🛡️ Application Development

1. Secure Software Development Process (SSDLC)

• Response: Yes.
• Evidence Detail: We follow the official WordPress Secure Coding Standards. This includes utilizing Nonces for CSRF protection, permission_callback for REST API authorization, and wp_unslash() / sanitize_text_field() for all data inputs.

2. SAST and DAST Testing

• Response: Yes.
• Evidence Detail:
  • SAST: We use PHPStan (Level 5+) and PHP_CodeSniffer (WordPress-Extra ruleset) for static analysis.
  • DAST: Our internal QA team performs manual vulnerability testing using tools like Burp Suite to ensure session isolation between different medical providers.

3. 3rd Party Penetration Testing

• Response: Yes (Commercial/Pro versions).
• Evidence Detail: The KiviCare core ecosystem is periodically audited by security researchers to ensure compliance with enterprise-grade medical application standards.

🔐 Security Standards & HIPAA Readiness

Anonymous-join Policy Justification

• Justification: As a telemedicine application handling Protected Health Information (PHI), we must be exempted from the anonymous-join policy to comply with HIPAA and GDPR regulations. Allowing anonymous participants to join medical consultations poses a critical “Zoom-bombing” risk. By enforcing the Waiting Room and authenticated joining via unique KiviCare links, we ensure that only the verified Patient and Doctor can enter the digital examination room.

TLS 1.2+ Support

• Response: Yes.
• Detail: Our plugin forces WP_Http to use TLS 1.2 or higher for all network traffic between the clinic server and Zoom.

📊 Data Collection & Protection “At Rest”

Do you collect/store Zoom user data?

• Response: Yes.
• Data Types: OAuth Access/Refresh Tokens, Zoom User ID, and Zoom Meeting IDs.

Protection “At Rest”

• Details:
  1. Encrypted Database: Sensitive credentials (tokens) are stored as encrypted user meta within the WordPress MySQL database.
  2. Database Hardening: We recommend users implement database-level encryption (e.g., MariaDB TDE) and table prefixes to obscure the data.
  3. Lifecycle Management: Tokens are automatically purged from the database immediately upon the user selecting “Disconnect” in the dashboard.

Next: Security Policy Templates