Data handling follows the architecture in project documentation: PostgreSQL for operational data, S3 for files with collection-level access, and Office 365 for transactional email. Production secrets are not stored in CMS records.