Principles
Security, privacy, and transparency by design.
We keep principles readable and enforceable: if we can't enforce it, we don't ship it.
Fail-safe enforcement
If we can't confidently evaluate an access request, we deny by default.
Minimum necessary sharing
Return only what's allowed, and remove personal identifiers by default.
User-visible auditability
Every access attempt should be traceable in a human-readable history.
Safety
Logging rules
- Audit events must be useful without including sensitive payloads
- Debugging should not require dumping user data to logs