spec_type: security
name: Security Specifications
version: "1.0"

encryption:
  at_rest:
    algorithm: AES-256-GCM
    key_management: AWS KMS
  in_transit:
    protocol: TLS 1.3
    certificate_authority: Let's Encrypt

data_protection:
  pii_fields:
    - email
    - phone
    - address
    - payment_info
  retention_policy:
    active_data: 3 years
    deleted_data: 30 days
  anonymization:
    enabled: true
    method: k-anonymity

compliance:
  standards:
    - name: GDPR
      regions: [EU]
      requirements:
        - Right to be forgotten
        - Data portability
        - Consent management
    - name: PCI-DSS
      level: 1
      requirements:
        - Secure cardholder data
        - Access control
        - Network monitoring

threat_model:
  threats:
    - name: SQL Injection
      mitigation: Parameterized queries
      severity: high
    - name: XSS
      mitigation: Output encoding, CSP headers
      severity: high
    - name: CSRF
      mitigation: CSRF tokens
      severity: medium