> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Security and compliance

> Review the mandatory security and compliance baseline — OWASP ASVS, CIS, secret management, audits, and LGPD — every Lerian plugin must meet.

**Security is not optional; it's a baseline.**

Every plugin in the Lerian ecosystem must be designed with security, compliance, and regulatory obligations in mind. These requirements protect end-users, maintain trust, and ensure interoperability across environments.

This section covers mandatory standards for secure development, audits, data protection, and regulatory alignment.

<Danger>
  Plugins that fail to meet these security and compliance standards will not be approved for publication in the Lerian Marketplace.
</Danger>

## Security by design

***

All plugins must comply with:

* **OWASP ASVS Level 3**
* **CIS Benchmarks** for container, K8s, and OS hardening
* Integration with secret managers like **Vault** or **AWS Secrets Manager**

## Pentests and security audits

***

A **pentest is mandatory** before publication and **must** be repeated at least **every 6–12 months** or whenever major changes are introduced.

<Tip>
  Don't have a provider? We can recommend trusted security partners.
</Tip>

## Data protection and LGPD

***

All plugins must fully comply with the **LGPD** and equivalent data protection laws.

* Personal data must be **encrypted at rest and in transit**.
* **No exceptions are allowed.**

## Regulatory compliance

***

Your plugin must follow all applicable regulations, including:

* BACEN circulars
* Other relevant governing bodies