Least privilege
Access should be scoped to what people and systems need to perform a defined task.
Security
Security is a design constraint, not a marketing claim.
We design around least privilege, data minimisation, traceability and clear operational boundaries. Product-specific controls and assurance information will be published as each product becomes available.
Data minimisation
Product design should avoid collecting or retaining information that is not needed for the workflow.
Traceability
Important actions should be understandable after the fact, with ownership and context preserved.
Secure defaults
Default behaviour should favour narrower access, explicit configuration and clear operational boundaries.
Present practices and future controls
This page describes current design principles for the public website and developing products. Product-specific controls, assurance information and operational documentation will be published as each product becomes available.
Responsible disclosure
Please report suspected security issues to [email protected]. Avoid including secrets, credentials or sensitive personal information unless it is necessary to explain the issue.
Email security contact