> ## Documentation Index
> Fetch the complete documentation index at: https://rollout.mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> Security controls, data handling, and verification guidance.

This page summarizes the security topics customers ask about most often and where to find or request details.

## What Rollout already enforces

* **Server‑side token minting**: your Client Secret never touches the browser.
* **Signed webhooks**: verify events with `X-Rollout-Signature` (HMAC SHA256).
* **Credential scoping**: API requests are scoped to the `credentialId` you provide.

## Data handling expectations

* Rollout acts as a processor for your users’ connected accounts.
* You control which systems are connected and which credentials are active.
* You decide how data is stored and used on your side (API calls, webhooks, or Sync to DB).

## Enterprise security artifacts (available on request)

If you need any of the following for procurement or security review, contact support:

* Security questionnaire responses
* Data retention and deletion policy
* Incident response process
* Compliance documentation (e.g., SOC reports)
* DPA or custom legal terms
* Subprocessor list updates

## Recommended verification steps

* Validate webhook signatures on every request.
* Rotate credentials if you suspect exposure.
* Treat Rollout‑synced database tables as read‑only (Sync to DB).

## Next steps

* Read the **Security** page in this section.
* Review **Privacy Policy** and **Data Subprocessors**.
* Contact support if you need formal security documentation.