Processes

Security Reviews

Security review expectations for new systems and changes.

Purpose

Identify and mitigate security risks early.

When required

New services or external integrations
Significant data flows or auth changes
High-risk dependency updates

Requirements

PRs must pass security checks (including CodeQL) before merge.
Secrets must live in Secret Manager with least-privilege access.

Procedure

Prepare a data flow and threat model for the change.
Review with the relevant service owner or engineering leadership.
Track mitigations and follow-ups in Linear.

Last updated on

Access Management

How access is requested, granted, and reviewed.

Vendor onboarding

How we onboard new partners and integrations.

On this page