Compliance & Security

API endpoints are rate-limited and protected with authenticated workspace checks.
Content Security Policy and anti-clickjacking headers are enforced.
Receipt access is controlled by membership and short-lived signed links.
Operational logs and errors can be monitored through Sentry integrations.