Access and permissions
- Least-privilege access
- Read-only access preferred first
- Access limited to authorized employees
- Periodic review of access rights
Credential and logging practices
- Credentials do not enter the frontend
- Credentials are not committed to public repositories
- Logs do not record complete credentials
- Sensitive access is separated from public website content
Retention and incidents
- Data is deleted when no longer needed
- Potential incidents are investigated, isolated and remediated
- Access and affected systems are reviewed after an incident
- Relevant parties are notified when required
These are operating principles. They do not claim SOC 2, ISO 27001 or another third-party certification.