Encryption in transit for supported services and interfaces.
Access controls and least-privilege principles for platform administration.
Credential protection and secure API practices, including signed webhooks where supported.
Operational monitoring and incident-response procedures.
Data minimisation and retention controls where applicable.
Supplier and integration review before launch.
Support for customer-side controls such as strong authentication and key management.