Question about the Built for NetSuite certification. Is it possible to get it if the suiteapp includes external suitelets? Noting that this goes against the SAFE guidelines, would NetSuite ever make exceptions?

I understand it's possible. It would be a Hybrid solution. https://www.netsuite.com/portal/developers/built-for-netsuite/three-bfn-badge-types.shtml

Thanks Gustavo. To clarify I'm talking about the SuiteApp including Suitelets with the deployment set as "Available without Login".

Do you use it for HTTP requests such as GET or POST?

We are the customer in this case, I can't say for certain what they are used for but I suspect in the majority of the cases they are used as "libraries" to call from other parts of the solution.

Last time I went through BFN process, NS told Suitelet Avaialble without login won’t be acceptable… we had to create a way to authenticate HTTP request or rebuild if it’s an “internal” call.. it could be used to bypass governance too and it’s risky on data security

Who is the suiteapp @michoel?

@Tristan Day I'm still hoping to salvage the relationship with the vendor so I'd rather not name them publically at this stage. It's isnt one of the better known SuiteApps. They do have a listing on the SuiteApp website with a BFN badge, but I'm struggling to understand how given the apparent non-conformance with SAFE guidelines

It's possible to increase security on suitelets. For instance, they could add a header named Authorization and require an API key.

Yep, but they haven't done so.