Responsibility layers

Separate responsibility for framework and application code, implementation delivery, hosting and operations, and the data controller’s obligations. Every control needs an owner, scope, review cadence, and evidence. Contracts should expose gaps between layers.

Authentication, RBAC, and isolation

Role-based access control (RBAC) should implement least privilege, separation of duties, and periodic review. Test negative cross-tenant and cross-organization cases across custom APIs, reports, jobs, webhooks, and AI tools.

Encryption and secrets

Selected-field encryption is configurable and requires the right maps, keys, and environment settings. Assess encryption in transit, key management, secret rotation, backups, logs, and administrator access. Sensitive data should not enter search indexes or logs without an explicit decision.

Software, dependencies, and operations

Require code review, dependency scanning, a controlled build process, separated environments, and governed deployment. Monitoring, backup, recovery, incident response, and updates must be tested processes rather than checklist labels.

GDPR: privacy by design and risk-appropriate security

The European Union General Data Protection Regulation (GDPR) creates obligations for controllers and processors regardless of framework choice. Teams must address purpose and lawful basis, minimization, retention, data-subject rights, contracts, transfers, risk assessment, and breach response. Technical features can support these duties; they do not automate compliance.

Evidence for this section:

How to evaluate control evidence

A policy shows intent, configuration shows settings, a test shows behavior under stated conditions, and an operating record shows process execution. No single artifact replaces an effectiveness review. Every gap needs an owner, action, due date, and risk decision.

framework and application

Assign controls, owners and evidence. Feature presence does not mean effectiveness.

implementation team

Assign controls, owners and evidence. Feature presence does not mean effectiveness.

hosting and operator

Assign controls, owners and evidence. Feature presence does not mean effectiveness.

controller and organization

Assign controls, owners and evidence. Feature presence does not mean effectiveness.

Method, assumptions and limitations

Reviewed 14 July 2026. Product facts were checked against both the public code at the cited repository revision and official documentation. Where documentation and code differ, this guide describes behavior supported by code. Interpretations and recommendations concern implementation work, not product guarantees.

This material is not a quote, audit, certification, or legal, tax, or accounting advice. Edition, enabled modules, configuration, custom code, infrastructure, data, third-party providers, and operating practices affect the outcome.

Submit a correction with the public source and the date checked.