Customer-facing e-commerce platform: browser and mobile clients talk to an API gateway, which fans out to an auth service, an orders service backed by PostgreSQL, and an external payment provider. An internal admin portal manages catalog and refunds.
Flows where untrusted (or less-trusted) input crosses into an internal trust zone. These are the highest-priority validation points in the system β every byte that enters here must be treated as hostile until proven otherwise.
No untrusted-input boundary crossings detected. Either there are no internal zones defined, or no flows enter them from less-trusted zones.
none, encryptednone, encryptednone, encryptednone, encryptednone, encryptednone, UNENCRYPTEDnone, encryptednone, UNENCRYPTEDnone, UNENCRYPTEDnone, UNENCRYPTEDWithin component API Gateway (api).
Endpoints fail to verify the caller has permission for the action.
Within component API Gateway (api).
Attacker breaks out of a sandbox to gain host privileges.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).
If the receiver in 'DMZ (public-facing)' acts on behalf of the caller, attackers compromising 'Internet' may inherit the receiver's privileges (confused-deputy).
Within component Admin Portal (webapp).
Endpoints fail to verify the caller has permission for the action.
Within component Admin Portal (webapp).
Attacker breaks out of a sandbox to gain host privileges.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).
If the receiver in 'Application tier' acts on behalf of the caller, attackers compromising 'DMZ (public-facing)' may inherit the receiver's privileges (confused-deputy).
Within component Orders DB (Postgres) (database).
SQL/NoSQL/command injection alters records or schema.
Within component Orders DB (Postgres) (database).
Endpoints fail to verify the caller has permission for the action.
Within component Orders DB (Postgres) (database).
Attacker breaks out of a sandbox to gain host privileges.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).
If the receiver in 'Data tier' acts on behalf of the caller, attackers compromising 'Application tier' may inherit the receiver's privileges (confused-deputy).
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).
If the receiver in 'Application tier' acts on behalf of the caller, attackers compromising 'DMZ (public-facing)' may inherit the receiver's privileges (confused-deputy).
Within component Web Frontend (webapp).
Endpoints fail to verify the caller has permission for the action.
Within component Web Frontend (webapp).
Attacker breaks out of a sandbox to gain host privileges.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).
If the receiver in 'DMZ (public-facing)' acts on behalf of the caller, attackers compromising 'Internet' may inherit the receiver's privileges (confused-deputy).
Within component API Gateway (api).
Attackers reuse leaked credentials to impersonate legitimate users.
Within component API Gateway (api).
Attacker steals or predicts a session token to impersonate a user.
Within component API Gateway (api).
An attacker obtains or forges an API key to act as a trusted service.
Within component API Gateway (api).
An attacker with access modifies or deletes audit trails.
Within component API Gateway (api).
PII, secrets, or tokens transmitted over unencrypted channels.
Within component API Gateway (api).
Stored PII / secrets accessible without proper authorization.
Within component API Gateway (api).
User can access another user's resources by guessing IDs.
Within component API Gateway (api).
Attacker floods expensive endpoints (e.g., search, login).
Within component API Gateway (api).
User submits extra fields (e.g., role=admin) and they bind to the model.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Web Frontend β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Admin Portal β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).
Flow '' crosses trust boundary 'Internet' β 'DMZ (public-facing)'. Caller identity must be re-verified at the boundary; existing trust does not transit.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).
Data crossing the trust boundary into 'DMZ (public-facing)' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).
Information leaving 'Internet' into 'DMZ (public-facing)' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.
Within component Admin Portal (webapp).
Attackers reuse leaked credentials to impersonate legitimate users.
Within component Admin Portal (webapp).
Attacker steals or predicts a session token to impersonate a user.
Within component Admin Portal (webapp).
An attacker obtains or forges an API key to act as a trusted service.
Within component Admin Portal (webapp).
An attacker with access modifies or deletes audit trails.
Within component Admin Portal (webapp).
PII, secrets, or tokens transmitted over unencrypted channels.
Within component Admin Portal (webapp).
Stored PII / secrets accessible without proper authorization.
Within component Admin Portal (webapp).
User can access another user's resources by guessing IDs.
Within component Admin Portal (webapp).
Attacker floods expensive endpoints (e.g., search, login).
Within component Admin Portal (webapp).
User submits extra fields (e.g., role=admin) and they bind to the model.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Auth Service (service).
Data flow has no authentication mechanism declared.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).
Flow '' crosses trust boundary 'DMZ (public-facing)' β 'Application tier'. Caller identity must be re-verified at the boundary; existing trust does not transit.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).
Data crossing the trust boundary into 'Application tier' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).
Information leaving 'DMZ (public-facing)' into 'Application tier' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.
Within component Customer Browser (user).
Attackers reuse leaked credentials to impersonate legitimate users.
Within component Customer Browser (user).
Attacker steals or predicts a session token to impersonate a user.
Within component Customer Browser (user).
An attacker obtains or forges an API key to act as a trusted service.
Within component Mobile App (user).
Attackers reuse leaked credentials to impersonate legitimate users.
Within component Mobile App (user).
Attacker steals or predicts a session token to impersonate a user.
Within component Mobile App (user).
An attacker obtains or forges an API key to act as a trusted service.
Within component Orders DB (Postgres) (database).
Attacker on the network path alters request/response payloads.
Within component Orders DB (Postgres) (database).
Unauthorized changes to runtime config alter security behavior.
Within component Orders DB (Postgres) (database).
An attacker with access modifies or deletes audit trails.
Within component Orders DB (Postgres) (database).
PII, secrets, or tokens transmitted over unencrypted channels.
Within component Orders DB (Postgres) (database).
Stored PII / secrets accessible without proper authorization.
Within component Orders DB (Postgres) (database).
User can access another user's resources by guessing IDs.
Within component Orders DB (Postgres) (database).
Attacker floods expensive endpoints (e.g., search, login).
Within component Orders DB (Postgres) (database).
User submits extra fields (e.g., role=admin) and they bind to the model.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).
Data flow '' uses TCP without encryption.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).
Data flow has no authentication mechanism declared.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).
Flow '' crosses trust boundary 'Application tier' β 'Data tier'. Caller identity must be re-verified at the boundary; existing trust does not transit.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).
Data crossing the trust boundary into 'Data tier' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).
Information leaving 'Application tier' into 'Data tier' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).
Data flow '' uses HTTP without encryption.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).
Data flow has no authentication mechanism declared.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).
Flow '' crosses trust boundary 'DMZ (public-facing)' β 'Application tier'. Caller identity must be re-verified at the boundary; existing trust does not transit.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).
Data crossing the trust boundary into 'Application tier' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).
Information leaving 'DMZ (public-facing)' into 'Application tier' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.
On the data flow Orders Service β Payment Provider (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Payment Provider (external).
Data flow has no authentication mechanism declared.
Within component Web Frontend (webapp).
Attackers reuse leaked credentials to impersonate legitimate users.
Within component Web Frontend (webapp).
Attacker steals or predicts a session token to impersonate a user.
Within component Web Frontend (webapp).
An attacker obtains or forges an API key to act as a trusted service.
Within component Web Frontend (webapp).
An attacker with access modifies or deletes audit trails.
Within component Web Frontend (webapp).
PII, secrets, or tokens transmitted over unencrypted channels.
Within component Web Frontend (webapp).
Stored PII / secrets accessible without proper authorization.
Within component Web Frontend (webapp).
User can access another user's resources by guessing IDs.
Within component Web Frontend (webapp).
Attacker floods expensive endpoints (e.g., search, login).
Within component Web Frontend (webapp).
User submits extra fields (e.g., role=admin) and they bind to the model.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Web Frontend (webapp).
Data flow has no authentication mechanism declared.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).
Flow '' crosses trust boundary 'Internet' β 'DMZ (public-facing)'. Caller identity must be re-verified at the boundary; existing trust does not transit.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).
Data crossing the trust boundary into 'DMZ (public-facing)' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).
Information leaving 'Internet' into 'DMZ (public-facing)' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.
Within component API Gateway (api).
Critical user actions cannot be reliably attributed after the fact.
Within component API Gateway (api).
Error responses leak implementation details to attackers.
Within component API Gateway (api).
Large payloads or unbounded loops exhaust CPU/memory.
Within component API Gateway (api).
Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).
Within component Admin Portal (webapp).
Critical user actions cannot be reliably attributed after the fact.
Within component Admin Portal (webapp).
Error responses leak implementation details to attackers.
Within component Admin Portal (webapp).
Large payloads or unbounded loops exhaust CPU/memory.
Within component Admin Portal (webapp).
Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).
Within component Orders DB (Postgres) (database).
Critical user actions cannot be reliably attributed after the fact.
Within component Orders DB (Postgres) (database).
Error responses leak implementation details to attackers.
Within component Orders DB (Postgres) (database).
Large payloads or unbounded loops exhaust CPU/memory.
Within component Orders DB (Postgres) (database).
Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).
Within component Web Frontend (webapp).
Critical user actions cannot be reliably attributed after the fact.
Within component Web Frontend (webapp).
Error responses leak implementation details to attackers.
Within component Web Frontend (webapp).
Large payloads or unbounded loops exhaust CPU/memory.
Within component Web Frontend (webapp).
Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).
Within component API Gateway (api).
Admin endpoints accessible to low-privilege users.
Within component API Gateway (api).
PII or passwords stored without encryption.
Within component API Gateway (api).
Attacker manipulates SQL queries.
Within component API Gateway (api).
User input passed to OS shell.
Within component API Gateway (api).
Admin password left at factory default.
Within component API Gateway (api).
Admin accounts authenticated by password only.
Within component API Gateway (api).
Attacker makes server fetch internal metadata endpoints.
Within component Admin Portal (webapp).
Admin endpoints accessible to low-privilege users.
Within component Admin Portal (webapp).
PII or passwords stored without encryption.
Within component Admin Portal (webapp).
Attacker manipulates SQL queries.
Within component Admin Portal (webapp).
User input passed to OS shell.
Within component Admin Portal (webapp).
Admin password left at factory default.
Within component Admin Portal (webapp).
Admin accounts authenticated by password only.
Within component Admin Portal (webapp).
Attacker makes server fetch internal metadata endpoints.
Within component Orders DB (Postgres) (database).
PII or passwords stored without encryption.
Within component Orders DB (Postgres) (database).
Attacker manipulates SQL queries.
Within component Orders DB (Postgres) (database).
User input passed to OS shell.
Within component Orders DB (Postgres) (database).
Admin password left at factory default.
Within component Web Frontend (webapp).
Admin endpoints accessible to low-privilege users.
Within component Web Frontend (webapp).
PII or passwords stored without encryption.
Within component Web Frontend (webapp).
Attacker manipulates SQL queries.
Within component Web Frontend (webapp).
User input passed to OS shell.
Within component Web Frontend (webapp).
Admin password left at factory default.
Within component Web Frontend (webapp).
Admin accounts authenticated by password only.
Within component Web Frontend (webapp).
Attacker makes server fetch internal metadata endpoints.
Within component API Gateway (api).
User accesses other users data by modifying IDs.
Within component API Gateway (api).
Passwords transmitted over HTTP.
Within component API Gateway (api).
Brute-force and credential stuffing possible.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Web Frontend β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Admin Portal β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
Within component Admin Portal (webapp).
User accesses other users data by modifying IDs.
Within component Admin Portal (webapp).
Passwords transmitted over HTTP.
Within component Admin Portal (webapp).
Brute-force and credential stuffing possible.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Auth Service (service).
Data flow has no authentication mechanism declared.
Within component Orders DB (Postgres) (database).
Passwords transmitted over HTTP.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).
Data flow '' uses TCP without encryption.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).
Data flow has no authentication mechanism declared.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).
Data flow '' uses HTTP without encryption.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).
Data flow has no authentication mechanism declared.
On the data flow Orders Service β Payment Provider (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Payment Provider (external).
Data flow has no authentication mechanism declared.
Within component Web Frontend (webapp).
User accesses other users data by modifying IDs.
Within component Web Frontend (webapp).
Passwords transmitted over HTTP.
Within component Web Frontend (webapp).
Brute-force and credential stuffing possible.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Web Frontend (webapp).
Data flow has no authentication mechanism declared.
Within component API Gateway (api).
CSP, X-Frame-Options, HSTS absent.
Within component Admin Portal (webapp).
CSP, X-Frame-Options, HSTS absent.
Within component Orders DB (Postgres) (database).
CSP, X-Frame-Options, HSTS absent.
Within component Web Frontend (webapp).
CSP, X-Frame-Options, HSTS absent.
Within component API Gateway (api).
PII shared with analytics/ad SDKs without consent.
Within component API Gateway (api).
Missing DSAR handling, retention policies, or data residency controls.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Web Frontend β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Admin Portal β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).
Data flow has no authentication mechanism declared.
On the data flow Mobile App β API Gateway (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).
Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).
Within component Admin Portal (webapp).
PII shared with analytics/ad SDKs without consent.
Within component Admin Portal (webapp).
Missing DSAR handling, retention policies, or data residency controls.
Within component Auth Service (service).
Missing DSAR handling, retention policies, or data residency controls.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Auth Service (service).
Data flow has no authentication mechanism declared.
On the data flow API Gateway β Auth Service (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).
Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).
Within component Customer Browser (user).
Missing DSAR handling, retention policies, or data residency controls.
Within component Mobile App (user).
Missing DSAR handling, retention policies, or data residency controls.
Within component Orders DB (Postgres) (database).
Quasi-identifiers (zip, DOB, gender) re-identify users in 'anonymous' exports.
Within component Orders DB (Postgres) (database).
PII shared with analytics/ad SDKs without consent.
Within component Orders DB (Postgres) (database).
Missing DSAR handling, retention policies, or data residency controls.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).
Data flow '' uses TCP without encryption.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).
Data flow has no authentication mechanism declared.
On the data flow Orders Service β Orders DB (Postgres) (label: *β*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).
Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).
Within component Orders Service (service).
Missing DSAR handling, retention policies, or data residency controls.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).
Data flow '' uses HTTP without encryption.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).
Data flow has no authentication mechanism declared.
On the data flow API Gateway β Orders Service (label: *β*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).
Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).
Within component Payment Provider (external).
Missing DSAR handling, retention policies, or data residency controls.
On the data flow Orders Service β Payment Provider (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Payment Provider (external).
Data flow has no authentication mechanism declared.
Within component Web Frontend (webapp).
PII shared with analytics/ad SDKs without consent.
Within component Web Frontend (webapp).
Missing DSAR handling, retention policies, or data residency controls.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Web Frontend (webapp).
Data flow has no authentication mechanism declared.
On the data flow Customer Browser β Web Frontend (label: *β*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).
Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).
Within component API Gateway (api).
Identifiers (emails, device IDs) let separate datasets be joined to profile a user.
Within component API Gateway (api).
Login / signup / password reset reveal whether an account exists.
Within component API Gateway (api).
System collects more PII than needed for its purpose.
Within component API Gateway (api).
Users don't know what data is collected or for what purpose.
Within component Admin Portal (webapp).
Identifiers (emails, device IDs) let separate datasets be joined to profile a user.
Within component Admin Portal (webapp).
Login / signup / password reset reveal whether an account exists.
Within component Admin Portal (webapp).
System collects more PII than needed for its purpose.
Within component Admin Portal (webapp).
Users don't know what data is collected or for what purpose.
Within component Orders DB (Postgres) (database).
Identifiers (emails, device IDs) let separate datasets be joined to profile a user.
Within component Orders DB (Postgres) (database).
System collects more PII than needed for its purpose.
Within component Web Frontend (webapp).
Identifiers (emails, device IDs) let separate datasets be joined to profile a user.
Within component Web Frontend (webapp).
Login / signup / password reset reveal whether an account exists.
Within component Web Frontend (webapp).
System collects more PII than needed for its purpose.
Within component Web Frontend (webapp).
Users don't know what data is collected or for what purpose.
Within component API Gateway (api).
User cannot deny a sensitive action even when they should have plausible deniability.
Within component Admin Portal (webapp).
User cannot deny a sensitive action even when they should have plausible deniability.
Within component Web Frontend (webapp).
User cannot deny a sensitive action even when they should have plausible deniability.