Transport & encryption
Production endpoints are served over HTTPS (TLS). Sensitive credentials are never stored in client-side code. Integration secrets belong in server-side configuration or your vault.
A practical summary for IT, risk, and procurement reviewers. Exact controls vary by deployment model—this page is the baseline we discuss during discovery.
Production endpoints are served over HTTPS (TLS). Sensitive credentials are never stored in client-side code. Integration secrets belong in server-side configuration or your vault.
We design backup windows, retention, and restore tests with your team based on RPO/RTO targets. Multi-AZ or single-region setups map to your budget and regulatory context.
Role-based access, least-privilege service accounts, and audit trails for high-risk actions (e.g. write-offs, refunds, role changes) are part of standard implementations.
For EU/UK data subjects or processors, we align contracts with lawful basis, data minimization, subprocessors list, cross-border transfer mechanisms where needed, and deletion/export procedures. Your counsel reviews the final DPA.
Your action
Prepare a one-page list: data categories you store, countries of users, who is controller vs processor, and any sector rules (central bank, HIPAA-style, etc.). We attach that to the security appendix in proposals.
© 2026 Softecki