Security Overview

<section>
  <h2>Secrets and Credentials</h2>
  <ul>
    <li>Secrets are managed with encrypted workflows (SOPS + age) and Kubernetes Secrets for runtime delivery.</li>
    <li>Plaintext credentials are not committed to source control.</li>
    <li>Secret rotation is supported through operational tooling and scheduled synchronization jobs.</li>
  </ul>
</section>

<section>
  <h2>Access Controls</h2>
  <ul>
    <li>Administrative and internal service access is restricted by role and deployment context.</li>
    <li>Authentication and authorization controls are enforced in application services and API layers.</li>
    <li>Internal operational documentation is access-controlled and not publicly exposed.</li>
  </ul>
</section>

<section>
  <h2>Network and Platform Protections</h2>
  <ul>
    <li>TLS is used for public edge traffic and service communication where applicable.</li>
    <li>Encryption in transit is enforced for public-facing traffic; encryption-at-rest controls are provided by managed infrastructure layers.</li>
    <li>Kubernetes manifests and infrastructure mappings are version-controlled for auditable change history.</li>
    <li>Deployment workflows separate image build and deployment actions to reduce accidental release risk.</li>
  </ul>
</section>

<section>
  <h2>Vulnerability and Operational Maintenance</h2>
  <ul>
    <li>Security and operational issues are handled through runbooks, checklists, and incident documentation.</li>
    <li>Dependency and infrastructure updates are performed regularly to reduce known vulnerability exposure.</li>
    <li>Infrastructure and service updates are performed through controlled deployment workflows.</li>
    <li>Customer-specific security questionnaires can be supported as part of vendor onboarding.</li>
  </ul>
</section>