MonkeyMachine — SECURITY TOMs SUMMARY

Encryption in transit (TLS 1.3 + HSTS), at rest (disk/snapshots/R2 SSE), selective field encryption (pgcrypto).

Access control: least privilege, staff MFA, separated roles.

API credentials protection (per Meta Platform Conditions §6.a.iv): All third‑party API tokens, app secrets, and access keys (including Meta/WhatsApp System User Tokens, App Secrets, and Business Integration Tokens) are stored encrypted at rest (SOPS + age), never committed to source control, rotated on compromise suspicion, and accessible only to authorized services on a need‑to‑know basis.

RLS multi‑tenant isolation, centralized logging, SAST/DAST, vulnerability management (critical ≤72h).

Backups/DR (RPO ≤24h; RTO ≤8h), WAF/rate‑limiting, incident response (≤72h notice).

Annual external pen‑test, quarterly internal reviews, device policy (full‑disk encryption, auto‑lock, VPN/SSO).