# Application Security

> Encore Cloud makes strong security the default path


## Built on industry experience

The security practices in Encore Cloud are built on our team's decades of experience designing and operating sensitive systems at companies like Google, Spotify, and Monzo.

## Security by Default

Encore Cloud is designed to make security effortless rather than burdensome:

- **Zero-config security**: Focus on building features while Encore Cloud automatically implements security best practices
- **Built-in secrets management**: Safely handle sensitive data using the built-in [secrets management system](/docs/ts/primitives/secrets)
- **Automated IAM management**: Encore Cloud automatically manages IAM policies based on the principle of least privilege

## Security features

When Encore Cloud deploys your application and infrastructure, it takes care of implementing security best practices:

- **Strong encryption**: All communication uses mutual TLSv1.3
- **Secure databases**: Database access is encrypted with certificate validation and strong security credentials
- **Isolated database credentials**: Each database instance has unique credentials, and each container connecting to a database uses its own credential. Credentials can be [rotated via the dashboard](/docs/platform/infrastructure/manage-db-users).
- **Cloud security**: Automatic provisioning with security best practices specific to each cloud provider
  - Learn more about [Google Cloud Platform (GCP)](/docs/platform/infrastructure/gcp)
  - Learn more about [Amazon Web Services (AWS)](/docs/platform/infrastructure/aws)
- **Infrastructure safety**: Deletion protection, admin-only environment management, and full audit trails for infrastructure changes. Learn more in [Managing Infrastructure](/docs/platform/infrastructure/managing-infrastructure).