Security Overview
How we secure the Evaluator API and its surrounding infrastructure.
Architecture highlights
- Evaluator runs on Azure Container Apps behind Azure API Management and Azure Front Door (WAF).
- Secrets are stored in Azure Key Vault; configs are scoped to least privilege.
- Images are pulled from a private Azure Container Registry and scanned with container security tooling.
Data in transit & at rest
- All external traffic uses TLS; HTTP is redirected where applicable.
- Azure-managed encryption is used for data at rest; additional controls may apply by tier.
Access control & isolation
- Access to production is restricted to a small operational group.
- Traffic is mediated through Azure API Management with per-subscription keys and quotas.
- Staging and production environments are separated and gated by smoke tests and certifier checks.
Operational security
- Builds run through CI/CD with image scanning and golden-config drift detection.
- Observability is provided via Azure Monitor, Application Insights, and structured logs.
- Incidents are tracked through an internal runbook and, where necessary, communicated via the Status page.