You must protect personal identifiable, sensitive and medical information of the user.
The general guidelines include that:
- No sensitive or medical data must be logged or appear in error messages or stack traces.
- Caching is disabled for sensitive or medical data.
- Data in transit is protected using industry standards (TLS).