# Security Overview Socotra is committed to providing a secure platform for modern insurance operations. Our security model is built to protect sensitive policyholder data, support enterprise governance, and align with industry best practices — all without compromising flexibility for development, configuration, and integration. This section of the documentation provides a comprehensive look at the security architecture, features, and tools available to product owners, developers, and administrators across the platform. Who Should Read This [#who-should-read-this] This documentation is relevant to: * Security and compliance teams * Developers and system integrators * IT administrators and tenant operators * Product owners and data governance leads Core Principles [#core-principles] We approach security with the following principles in mind: * **Least Privilege by Default** - Users should only be assigned permissions that are strictly necessary to complete their work. * **Auditable and Transparent** - Every significant system action is logged and traceable. * **Configurable and Enforceable** - Security controls are flexible enough to meet tenant-specific needs while maintaining baseline protections. * **Defense in Depth** - Multiple layers of controls, from authentication and encryption to data masking and anonymization. Topics Covered [#topics-covered] This section includes detailed documentation on the following topics: * [Authentication and Identity](/features/security/authentication) - Overview of supported authentication methods, including native login, SSO, and Personal Access Tokens. * [Role-Based Access Control (RBAC)](/features/security/roles-and-permissions) - Tenant-specific roles and permissions to control access across UI, API, and data layers. * [Comprehensive Permissions Listing](/features/security/permissions-listing) - A complete overview of all available permissions in the Socotra Insurance Suite. * [Personal Access Tokens](/features/security/personal-access-tokens) - A secure alternative to password-based authentication for software integrations, scripts, and AI agents. * [Data Access Controls](/features/security/data-access-controls) - Field-level and entity-level restrictions for visibility and editability of sensitive data, including examples and configuration. * [Data Masking](/features/security/data-masking) - Mechanisms to ensure sensitive fields are redacted or hidden in API responses and the UI based on user role or data classification. * [Data Anonymization](/features/security/data-anonymization) - Anonymization features for analytics, testing, and compliance with GDPR or CCPA data handling requirements. * [Audit Logging](/features/security/audit-logging) - Full visibility into changes made by users and automated processes for traceability and governance. * [Secure Deployment](/features/security/secure-deployment) - Guidance and tooling to ensure secure deployment of code and infrastructure across environments. * [Encryption](/features/security/encryption) - Overview of encryption at rest and in transit, including encryption protocols and secrets management. * [Password Policies](/features/security/password-policies) - Configurable password policies, mandatory password policies, and best practices for password management. * [Security Standards and Regulations](/features/security/regulations) - Security standards, certifications, and regulatory requirements that support your security obligations. * [PCI Compliance Position Statement](/features/security/pci-compliance-statement) - Socotra's position on PCI Compliance. Next Steps [#next-steps] Start with [Authentication and Identity](/features/security/authentication), or skip directly to the areas most relevant to your team. For any security-related support or inquiries, reach out to your Socotra representative or email [security@socotra.com](mailto:security@socotra.com). If you haven't already done so, make sure you're able to [log into Socotra](/getting-started/log-into-socotra) and [set up Postman](/getting-started/set-up-postman-to-use-the-socotra-api) to use the Socotra API.