Encryption, key management, retention, and how we handle data subject rights.
TLS 1.2+ everywhere, AES-256 at rest, and managed KMS keys.
Defaults, customer overrides, and how we honour deletion requests.