Do not send secrets through ordinary messages
Passwords, API keys, private keys, production database credentials, payment details, health information, and other sensitive records should not be pasted into email, chat, or a project form. We agree on an appropriate secret or file sharing method first.
Access should be narrow and attributable
Where possible, provide individual accounts with the minimum role and environment needed. Avoid shared administrator credentials. Access is reviewed when the task changes and removed when it is no longer required.
Security has shared responsibilities
We are responsible for the controls and practices inside the agreed product and delivery scope. Your organization remains responsible for governance, staff access, legal obligations, vendor agreements, and operating decisions outside that boundary. Those responsibilities are made visible during discovery.
Was this not the answer?
