Security
What this section is
This is the security design of Skapp — how the system is built to protect the data it holds and the people it serves. It sits in architecture because it describes how the system works under the hood, not how an individual developer writes a line of code.
Keep the split in mind: writing secure code (input validation, safe defaults, avoiding common bugs) lives in engineering; the system's security design and threat model lives here. When the two meet — a developer building a new feature that touches personal data — the engineering how-to links back to the design pages here so the reasoning stays in one place.
What's here now
- Data protection — how Skapp meets GDPR's integrity-and-confidentiality obligations, what we encrypt, and how we got there.
What's coming
This folder will grow to cover the rest of the security design as we write it down — for example denial-of-service protection, rate limiting, secrets management, and the access-control model. Each gets its own subfolder or page under security/, with the decisions behind it captured as ADRs.
What's NOT here
- Secure-coding practice for feature work →
engineering/. - Incident response (what to do when something goes wrong in production) →
operations/.