Wrap the most sensitive values in application-layer encryption using distinct keys per tenant and purpose. Use deterministic modes where safe to enable joins without exposure. Attach access decisions to fields, not just records, so sharing dashboards never leaks secrets that were never intended for that audience.
Prohibit plaintext internally and externally, even for supposedly trusted networks. Enforce TLS with modern ciphers, short certificates, and automated renewal. Layer token binding, signed requests, and replay protection so captured traffic yields nothing. Simulate link failures to validate fallbacks never downgrade security properties or silently skip validation for speed.