Transport Encryption
- All application traffic is protected with TLS
- WebSockets use WSS for realtime communication
Encryption at Rest
- All databases use encryption at rest
Optional End‑to‑End Encryption
- Available for enterprise deployments upon request
- Not enabled by default due to operational tradeoffs (key distribution, feature compatibility)
Secrets Management & Key Rotation
- Centralized secrets management with automated rotation
- Strict access controls and audit trails
Database & Network
- Role‑based access controls for collections
- Restricted access via IP allowlists; private connectivity options available for enterprise