Responsibility layers
Separate responsibility for framework and application code, implementation delivery, hosting and operations, and the data controller’s obligations. Every control needs an owner, scope, review cadence, and evidence. Contracts should expose gaps between layers.
Authentication, RBAC, and isolation
Role-based access control (RBAC) should implement least privilege, separation of duties, and periodic review. Test negative cross-tenant and cross-organization cases across custom APIs, reports, jobs, webhooks, and AI tools.
Encryption and secrets
Selected-field encryption is configurable and requires the right maps, keys, and environment settings. Assess encryption in transit, key management, secret rotation, backups, logs, and administrator access. Sensitive data should not enter search indexes or logs without an explicit decision.
Software, dependencies, and operations
Require code review, dependency scanning, a controlled build process, separated environments, and governed deployment. Monitoring, backup, recovery, incident response, and updates must be tested processes rather than checklist labels.
GDPR: privacy by design and risk-appropriate security
The European Union General Data Protection Regulation (GDPR) creates obligations for controllers and processors regardless of framework choice. Teams must address purpose and lawful basis, minimization, retention, data-subject rights, contracts, transfers, risk assessment, and breach response. Technical features can support these duties; they do not automate compliance.
How to evaluate control evidence
A policy shows intent, configuration shows settings, a test shows behavior under stated conditions, and an operating record shows process execution. No single artifact replaces an effectiveness review. Every gap needs an owner, action, due date, and risk decision.
framework and application
Assign controls, owners and evidence. Feature presence does not mean effectiveness.
implementation team
Assign controls, owners and evidence. Feature presence does not mean effectiveness.
hosting and operator
Assign controls, owners and evidence. Feature presence does not mean effectiveness.
controller and organization
Assign controls, owners and evidence. Feature presence does not mean effectiveness.
Method, assumptions and limitations
Reviewed 14 July 2026. Product facts were checked against both the public code at the cited repository revision and official documentation. Where documentation and code differ, this guide describes behavior supported by code. Interpretations and recommendations concern implementation work, not product guarantees.
This material is not a quote, audit, certification, or legal, tax, or accounting advice. Edition, enabled modules, configuration, custom code, infrastructure, data, third-party providers, and operating practices affect the outcome.
Primary source collections: code repository, documentation, public releases.
Submit a correction with the public source and the date checked.