- Encryption at rest & in transit - Keys only in Secrets Store - Restricted data access: auth/auth - Ability to delete all data for a given user - Data access logging to external storage - Failover and recovery testing