{"id":1870,"date":"2026-01-20T12:39:50","date_gmt":"2026-01-20T12:39:50","guid":{"rendered":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/?p=1870"},"modified":"2026-04-01T11:04:52","modified_gmt":"2026-04-01T11:04:52","slug":"zoom-marketplace-technical-design-guide","status":"publish","type":"post","link":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/kivicare-telemed-addon\/documentation\/zoom-marketplace-readiness\/zoom-marketplace-technical-design-guide\/","title":{"rendered":"Zoom Marketplace Technical Design Guide"},"content":{"rendered":"<div class=\"nolwrap\">\n<p>This document provides the specific data and justifications required to fill out the <strong>Technical Design<\/strong> section during your Zoom App Marketplace submission.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee0\ufe0f Technology Stack<\/h2>\n\n\n\n<p><strong>Section Description:<\/strong> <em>Describe in detail all of the technology, libraries and APIs used by the application.<\/em><\/p>\n\n\n\n<p>The KiviCare Telemedicine Addon is built as a WordPress plugin. Its technology stack includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Backend Core:<\/strong> PHP 8.1+ (running within the WordPress ecosystem).<\/li>\n\n\n\n<li><strong>APIs:<\/strong> Zoom Meeting API v2 (REST) for meeting lifecycle management.<\/li>\n\n\n\n<li><strong>Authentication:<\/strong> OAuth 2.0 (User-managed) and Server-to-Server OAuth.<\/li>\n\n\n\n<li><strong>Data Persistence:<\/strong> MySQL (via WordPress <code>wpdb<\/code>).<\/li>\n\n\n\n<li><strong>Communication:<\/strong> GuzzleHttp \/ WordPress <code>WP_Http<\/code> for secure API requests.<\/li>\n\n\n\n<li><strong>Frontend Layer:<\/strong> React.js (KiviCare Dashboard) for high-interaction user interfaces.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcd0 Architecture Diagram<\/h2>\n\n\n\n<p><strong>Section Description:<\/strong> <em>Provide an architectural diagram with additional flow diagrams.<\/em><\/p>\n\n\n\n<p><strong>System Components:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>WordPress Plugin Layer:<\/strong> Orchestrates the logic between KiviCare appointments and Zoom API.<\/li>\n\n\n\n<li><strong>Mapping Service:<\/strong> A dedicated table <code>wp_kc_appointment_zoom_mappings<\/code> that links local business IDs to Zoom universal IDs.<\/li>\n\n\n\n<li><strong>Authentication Handler:<\/strong> Manages the OAuth handshake and token persistence (rotating Access\/Refresh tokens).<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee1\ufe0f Application Development<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. Secure Software Development Process (SSDLC)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response:<\/strong> <strong>Yes<\/strong>.<\/li>\n\n\n\n<li><strong>Evidence Detail:<\/strong> We follow the official <a href=\"https:\/\/developer.wordpress.org\/plugins\/security\/\" target=\"_blank\" rel=\"noopener\">WordPress Secure Coding Standards<\/a>. This includes utilizing Nonces for CSRF protection, <code>permission_callback<\/code> for REST API authorization, and <code>wp_unslash()<\/code> \/ <code>sanitize_text_field()<\/code> for all data inputs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2. SAST and DAST Testing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response:<\/strong> <strong>Yes<\/strong>.<\/li>\n\n\n\n<li><strong>Evidence Detail:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>SAST:<\/strong> We use <strong>PHPStan<\/strong> (Level 5+) and <strong>PHP_CodeSniffer<\/strong> (WordPress-Extra ruleset) for static analysis.<\/li>\n\n\n\n<li><strong>DAST:<\/strong> Our internal QA team performs manual vulnerability testing using tools like Burp Suite to ensure session isolation between different medical providers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. 3rd Party Penetration Testing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response:<\/strong> <strong>Yes<\/strong> (Commercial\/Pro versions).<\/li>\n\n\n\n<li><strong>Evidence Detail:<\/strong> The KiviCare core ecosystem is periodically audited by security researchers to ensure compliance with enterprise-grade medical application standards.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd10 Security Standards<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Anonymous-join Policy Justification<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Justification:<\/strong> As a telemedicine application handling Protected Health Information (PHI), we must be exempted from the anonymous-join policy to comply with<strong> GDPR regulations<\/strong>. Allowing anonymous participants to join medical consultations poses a critical &#8220;Zoom-bombing&#8221; risk. By enforcing the Waiting Room and authenticated joining via unique KiviCare links, we ensure that only the verified Patient and Doctor can enter the digital examination room.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">TLS 1.2+ Support<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response:<\/strong> <strong>Yes<\/strong>.<\/li>\n\n\n\n<li><strong>Detail:<\/strong> Our plugin forces <code>WP_Http<\/code> to use TLS 1.2 or higher for all network traffic between the clinic server and Zoom.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcca Data Collection &amp; Protection &#8220;At Rest&#8221;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Do you collect\/store Zoom user data?<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response:<\/strong> <strong>Yes<\/strong>.<\/li>\n\n\n\n<li><strong>Data Types:<\/strong> OAuth Access\/Refresh Tokens, Zoom User ID, and Zoom Meeting IDs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Protection &#8220;At Rest&#8221;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Details:<\/strong>\n<ol class=\"wp-block-list\">\n<li><strong>Encrypted Database:<\/strong> Sensitive credentials (tokens) are stored as encrypted user meta within the WordPress MySQL database.<\/li>\n\n\n\n<li><strong>Database Hardening:<\/strong> We recommend users implement database-level encryption (e.g., MariaDB TDE) and table prefixes to obscure the data.<\/li>\n\n\n\n<li><strong>Lifecycle Management:<\/strong> Tokens are automatically purged from the database immediately upon the user selecting &#8220;Disconnect&#8221; in the dashboard.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/>\n\n\n\n<p><\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>This document provides the specific data and justifications required to fill out the Technical Design section during your Zoom App Marketplace submission. \ud83d\udee0\ufe0f Technology Stack Section Description: Describe in detail all of the technology, libraries and APIs used by the application. The KiviCare Telemedicine Addon is built as a WordPress plugin. Its technology stack includes: [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":0,"parent":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[],"class_list":["post-1870","post","type-post","status-publish","format-standard","hentry","category-zoom-marketplace-readiness"],"featured_image_src":null,"author_info":{"display_name":"wordpressadminiq","author_link":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/author\/wordpressadminiq\/"},"_links":{"self":[{"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/posts\/1870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/comments?post=1870"}],"version-history":[{"count":8,"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/posts\/1870\/revisions"}],"predecessor-version":[{"id":3133,"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/posts\/1870\/revisions\/3133"}],"wp:attachment":[{"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/media?parent=1870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/categories?post=1870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/documentation.iqonic.design\/kivicare-wordpress\/wp-json\/wp\/v2\/tags?post=1870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}