# Data protection

Union.ai protects customer data through a classification framework, residency guarantees, and cloud-native encryption. All customer data is encrypted both at rest and in transit.

Customer data never transits Union.ai's control plane. Every customer-data request -- bulk artifacts (via presigned URLs), structured task inputs and outputs, secret values, logs, reports, and auxiliary UI traffic -- is served directly from the data plane through the Direct-to-Data-Plane tunnel, with authentication and RBAC enforced by an Envoy router inside the customer's cluster. The control plane is not on the data path.

This section covers:

* [Data classification and residency](https://www.union.ai/docs/v2/union/security/data-protection/classification-and-residency/page.md): How data is classified, where it resides, and multi-cloud region support.
* [Secrets management](https://www.union.ai/docs/v2/union/security/data-protection/secrets/page.md): Write-only API design, backends, and secret lifecycle.
* [Logging and audit](https://www.union.ai/docs/v2/union/security/data-protection/logging-and-audit/page.md): Task logging, observability metrics, and audit trails.

## Subpages

- [Data classification and residency](https://www.union.ai/docs/v2/union/security/data-protection/classification-and-residency/page.md)
  - Data classification
  - Data residency
  - Verification
  - Data classification
  - Data residency
- [Secrets management](https://www.union.ai/docs/v2/union/security/data-protection/secrets/page.md)
  - Backends
  - Secret lifecycle
  - Verification
  - Write-only API
  - Secret lifecycle
- [Logging and audit](https://www.union.ai/docs/v2/union/security/data-protection/logging-and-audit/page.md)
  - Task logging
  - Observability metrics
  - Audit trail
  - Verification
  - Task logging
  - Audit trail

---
**Source**: https://github.com/unionai/unionai-docs/blob/main/content/security/data-protection/_index.md
**HTML**: https://www.union.ai/docs/v2/union/security/data-protection/