Docs: Credential Security

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/8584
GitOrigin-RevId: b2d088360fa6e0d440db19ba05c95ea11f566d84

docs/docs/deployment/production-checklist.mdx

@@ -40,6 +40,13 @@ graphql-engine --database-url=<database-url> serve --admin-secret=averylongpassw
 
 More details can be found at [Securing the GraphQL endpoint](/deployment/securing-graphql-endpoint.mdx).
 
+## Move secrets to environment variables
+
+It is recommended to move all secrets to environment variables. On Hasura Cloud, environment variables are stored in a
+[Hashicorp Vault](https://www.vaultproject.io/) instance as secrets which are not directly accessible to Hasura staff.
+The Hasura Engine also does not store any copies of your data, except for
+[cached query responses](/caching/overview.mdx) which have a TTL expiry.
+
 ## Verify permissions
 
 <TOCInline toc={toc} filterTOC={'verify-permissions'} />

docs/docs/policies/overview.mdx

@@ -17,5 +17,7 @@ This section contains documents and strategies which outline Hasura's operationa
 
 - [Version Support Policy](/policies/versioning.mdx)
 - [Service Level Agreement (SLA)](/policies/sla.mdx)
+- [Privacy](/policies/privacy.mdx)
 - [Security Vulnerability Protocol](/policies/security-disclosure.mdx)
 - [Telemetry](/policies/telemetry.mdx)
+

docs/docs/policies/privacy.mdx

@@ -0,0 +1,61 @@
+---
+description: Data privacy and access
+sidebar_label: Data Privacy
+sidebar_position: 2.5
+keywords:
+  - hasura
+  - service level agreement
+  - SLA
+sidebar_class_name: cloud-and-enterprise-icon
+---
+
+# Data Privacy and Access at Hasura
+
+## Overview
+
+We take privacy and security very seriously at Hasura and take all measures to protect your data. This document outlines
+the measures we take to ensure that your data is secure and private.
+
+## Environment variables
+
+On Hasura CLoud, environment variables are stored in a [Hashicorp Vault](https://www.vaultproject.io/) instance as
+secrets which are not directly accessible to Hasura staff. It is strongly recommended to keep all secrets in
+environment variables rather than string literals which will be accessible in your Hasura Metadata.
+
+## Data storage
+
+Hasura's architecture necessitates connecting to your databases in order to serve queries to your applications and
+end users. While your data passes through Hasura's systems, it remains exclusively in-memory, solely for query
+processing purposes. No data persistence occurs within Hasura's systems. The only exception is when caching is
+enabled for a query; in this case, query responses are cached within in-memory Redis instances, subject to a specified
+TTL ([refer to caching documentation](/caching/overview.mdx)).
+
+## Metadata security
+
+At Hasura, we take comprehensive measures to ensure the protection of your Metadata. Our practices are focused on
+keeping sensitive information, such as schema definitions, access control rules, and relationships, secure from
+unauthorized access and tampering. To achieve this, we employ strong encryption techniques for Metadata storage,
+both at rest and during transmission.
+
+## Log security
+
+Our logging practices are designed to maintain the highest level of security and data privacy. As part of our
+commitment, we do not log query responses in any system logs, preventing unauthorized access or data leakage.
+
+Additionally, to further safeguard your information, we do not log passwords.
+
+## SOC Type 2 Compliance
+
+We are SOC Type 2 compliant. This means that we have undergone a rigorous audit by a third party to ensure that we have
+the appropriate controls in place to protect your data. You can read more about our SOC Type 2 compliance
+[here](https://hasura.io/blog/announcement-hasura-cloud-achieves-soc2-type-2-certification/).
+
+## GDPR and HIPAA Compliance
+
+We are [GDPR](https://gdpr-info.eu/) and [HIPAA](https://www.cdc.gov/phlp/publications/topic/hipaa.html)
+compliant.
+
+## Hasura Privacy Policy
+
+Please see out [privacy policy here](https://hasura.io/legal/hasura-privacy-policy/) which details how we handle your
+data.