• In transit: TLS 1.2+ for all client–server traffic; HSTS enforced.
• At rest: AES-256 or provider-managed equivalents for databases, object storage, and backups.
• Key management: Managed KMS with role-scoped access and rotation policies.

Access Controls

• Least-privilege RBAC for staff and services.
• MFA enforced on administrative systems.
• SSO support for enterprise customers (on request).
• Audit logging on sensitive operations.

Application Security

• Secure SDLC with code review and CI checks.
• Dependency scanning and container image scanning.
• Environment segregation for dev/stage/prod.
• Rate limiting, input validation, and abuse monitoring.

Vulnerability Management

• Monthly vulnerability scans; critical issues prioritized.
• Annual penetration testing by an independent firm.
• Patch management with defined SLAs by severity.

Incident Response

• Documented runbooks and 24/7 on-call rotation.
• Customer notification without undue delay if required by law.
• Post-incident reviews and corrective actions.

Business Continuity

• Automated backups with integrity checks.
• Regional redundancy for critical services.
• Restoration testing and RPO/RTO objectives.

Data Governance

• Retention: Kept only as long as needed for Services or as required by law.
• Deletion: Account deletion triggers scheduled data removal from active systems and backups (within standard retention windows).
• Exports: