> ## Documentation Index
> Fetch the complete documentation index at: https://developers.callaro.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> Review security controls across identity, key governance, data protection, incident response, and operational assurance.

# Security controls are layered across identity, data, and operations.

## Identity and access controls

* Separate auth mechanisms for JWT, tenant API keys, partner API keys, and runtime server keys.
* Scope-based API key authorization with explicit route-family permissions.
* Tenant-aware authorization boundaries with optional tenant-context header where supported.
* Least-privilege key issuance and periodic scope reviews recommended for all customers.

## Data protection controls

* TLS in transit for API and webhook communication.
* Access-controlled storage and retrieval for call artifacts.
* Environment isolation model for sandbox versus production data handling.
* Configurable data lifecycle controls via retention and export workflows.

## Operational security controls

* Request IDs and structured logs for incident triage.
* Retry-safe webhook patterns and dedupe guidance to reduce side-effect risks.
* Controlled rollout guidance for production campaign activation.
* Key rotation and revocation support through API key management endpoints.

## Incident handling and support flow

<Steps>
  <Step title="Detect">
    Monitor auth failures, webhook processing anomalies, and runtime error rates.
  </Step>

  <Step title="Contain">
    Revoke affected keys, isolate impacted tenant workflows, and pause automated actions when needed.
  </Step>

  <Step title="Recover">
    Replay events safely from logs/exports and validate data consistency across downstream systems.
  </Step>

  <Step title="Review">
    Document root cause, corrective actions, and any policy updates required for recurrence prevention.
  </Step>
</Steps>

<Note>
  Enterprise customers can request security and architecture review artifacts through the standard support and security review process.
</Note>

## What to do next

* Review [`./data-processing`](./data-processing) for retention and residency governance.
* Review [`./compliance`](./compliance) when preparing procurement or security review.
* Review [`./responsible-disclosure`](./responsible-disclosure) for private issue reporting workflow.
