==================== Security and Privacy ==================== The platform handles **Tier-1 sensitive personal data** (vulnerability status, migration history) and interacts with multiple external stakeholders. The Security and Privacy Plan (reference ``IOM-CMR-2025-REINT``) ensures the confidentiality, integrity, and availability (CIA) of beneficiary data. Content Classification ====================== All indexed content is tagged with a security classification that governs how it is processed and exposed: .. list-table:: :header-rows: 1 :widths: 15 85 * - Class - Meaning * - :green:`GREEN` - Public / non-sensitive content. May be freely indexed and surfaced. * - :yellow:`YELLOW` - Internal content requiring controlled access. * - :red:`RED` - Sensitive content subject to strict handling and access restrictions. Privacy by Design ================= The plan implements privacy-by-design principles: * **Informed consent (UC06)** — beneficiaries manage explicit consents; consent is recorded in the ``consent_records`` table. * **Data minimization and purpose limitation** — only data necessary for recommendation and reintegration workflows is collected and retained. * **Pseudonymization in AI processing** — identifying fields are minimized before profiles are sent to the generative model. Identity and Access Management ============================== Access is governed by a role/permission model (``roles``, ``permissions``, ``role_permissions``, ``user_roles``, ``user_permissions``) supporting the ``permission_action_enum`` actions (``CREATE``, ``READ``, ``UPDATE``, ``DELETE``, ``PUBLISH``, ``APPROVE``, ``REVIEW``, ``EXPORT``, ``IMPORT``, ``MANAGE``). On the clients, tokens are stored securely (``expo-secure-store`` on mobile) and session lifecycle is enforced (session expiry handling, ``session_logs``, ``login_history``). Application and AI Security =========================== * **Secure partner integration** — external redirection to partner sites is tracked through the application lifecycle (see :doc:`architecture`, Figure 6), and partner accounts are scoped by role. * **AI engine security** — prompts are constructed from minimized profile data; API keys (OpenRouter) are held in environment secrets and rotated. * **Transport security** — PostgreSQL connections support ``require`` SSL mode for traffic over untrusted networks (see :doc:`configuration`). Deployment Model ================ The reference architecture targets AWS (region ``af-south-1``, Cape Town), with Cloudflare providing CDN, DNS, DDoS protection, and SSL/TLS. The Security and Privacy Plan additionally documents a **self-hosted deployment on ST Digital (Cameroon)**, including an infrastructure translation from the AWS reference design and the specific security controls required for that environment. Monitoring and Incident Response ================================ * **Real-time monitoring** of the infrastructure (see the deployment diagram, :doc:`deployment`) and recording of ``security_events`` and ``audit_logs``. * **Breach notification** procedures defined in the plan. * A **compliance roadmap** justifying the architectural decisions and listing the compliance deliverables.