For complex architectural setups, the required documentation includes:
**Core Documentation:**
- **Architecture Diagrams**: Show data touch points, information flows, authentication, authorizations, and security controls.
- **Services and Artifacts**: List all components like web/mobile solutions, web services, APIs, and SDKs.
- **Solution Documentation**: Provide detailed user documentation for the solution.
**Security Documentation:**
- **Security Scan Reports**: Include reports like Checkmarx or DAST, with explanations for any false positives.
- **Information Security Policies**: Share the company's security policies.
- **Certifications**: Include relevant certifications (e.g., HIPAA, PCI DSS, SOC 2, ISO27001) or audit summaries.
- **Security-Assurance Activities**: Document SDLC methodology, vulnerability management, remediation SLAs, supplier security programs, security training, and breach response procedures.
**Third-Party Integration Requirements:**
- **Third-Party Libraries**: Provide an inventory of libraries and their versions used in the solution.
- **Third-Party Certifications**: Include certifications or security reports from third-party connectors, such as penetration test reports.
- **Third-Party Suppliers**: List suppliers sharing customer data.
- **Authentication Details**: Include URLs and login credentials for external components requiring authentication.
**Data and Infrastructure:**
- **Sensitive Data**: List any sensitive data processed or stored (e.g., payment, personal, health data).
- **Data Storage**: Disclose storage locations and providers (e.g., AWS, Azure, GCP).
- **Support Contacts**: Provide contact details for support and security incident reporting.
**Managed Package Requirements:**
- **Managed Package**: Submit a managed package installed in a Developer Edition org for review.
Ensure all these materials are ready to avoid delays in the review process and to ensure compliance with enterprise security standards.