MonkeyMachine — SECURITY TOMs SUMMARY

Encryption in transit (TLS 1.3 + HSTS), at rest (disk/snapshots/R2 SSE), selective field encryption (pgcrypto).

Access control: least privilege, staff MFA, separated roles.

RLS multi‑tenant isolation, centralized logging, SAST/DAST, vulnerability management (critical ≤72h).

Backups/DR (RPO ≤24h; RTO ≤8h), WAF/rate‑limiting, incident response (≤72h notice).

Annual external pen‑test, quarterly internal reviews, device policy (full‑disk encryption, auto‑lock, VPN/SSO).