Encryption, key management, retention, and how we handle data subject rights.
Defaults, customer overrides, and how we honour deletion requests.
TLS 1.2+ everywhere, AES-256 at rest, and managed KMS keys.