Encryption TLS in transit; encryption at rest via StorageService and external KMS where configured. Avoid plaintext secrets.