Data Security Guidelines · DS

This document outlines standards for handling data securely across environments, with a focus on protecting sensitive information and ensuring safe practices during development and testing.

Applications must use Mailtrap for emails in test environments

EXCEPTION: This requirement does not apply if the client has their own service or process in place for handling test emails.

Sensitive data must be anonymised before being transferred between environments (e.g., from production to development or test).

EXCEPTION: This requirement may be waived if the data is essential for reproducing a specific issue, provided there is a documented process in place to delete the data from the destination environment once it is no longer required.

Sensitive data includes credentials, API keys, connection strings and certificates. Store only in approved secret stores and encrypted services. Never commit to source control or place in plain text in config.

• Use a managed cloud secret store for secrets, keys and certificates (e.g. Azure Key Vault or AWS Secrets Manager).
• Store pipeline secrets in your platform’s secure secret management (e.g. Azure DevOps Variable Groups or Github Actions secrets). Restrict access via RBAC and least privilege. See DEVOPS-03.6.
• For local development, store .env secrets in Keeper as a “Secure Note”. Do not share as plain text.