Replace SQL Server security claims in legal docs with actual PostgreSQL capabilities

Author: tjementum

application/account/WebApp/routes/legal/cross-references.internal.md

@@ -292,14 +292,12 @@ When used generically (not as defined term), use lowercase: "your account settin
 
 **We HAVE (describe in DPA Schedule 3):**
 
-- Encryption in transit: HTTPS/TLS 1.2+ (Azure SQL Server enforced)
+- Encryption in transit: HTTPS/TLS 1.2+ (PostgreSQL Flexible Server enforced, Ssl Mode=VerifyFull)
 - Encryption at rest: Azure platform encryption
-- RBAC: Azure Active Directory authentication only (azureADOnlyAuthentication: true)
-- SQL Server auditing: 90-day retention (authentication, batch operations)
-- SQL Server vulnerability assessments: Recurring scans enabled
-- SQL Server security alerts: Enabled
-- Virtual network isolation: Subnet-based access control
-- Restricted outbound network access: Enabled on SQL Server
+- RBAC: Entra ID authentication
+- PostgreSQL audit logging: pgaudit extension with 90-day retention to diagnostic storage account (WRITE, DDL, ROLE operations)
+- Virtual network isolation: Private Endpoint with Private DNS Zone
+- Restricted outbound network access: No permanent firewall rules, temporary CI/CD access only
 - Application Insights: Monitoring and logging (may be sampled)
 - Telemetry events: Activity logging for mutations (not comprehensive audit)
 

application/account/WebApp/routes/legal/dpa.en-US.md

@@ -1,6 +1,6 @@
 # Data Processing Agreement
 
-**Effective date:** 1 Jan, 2026
+**Effective date:** 17 March, 2026
 
 ---
 
@@ -280,9 +280,9 @@ We will provide 14 days advance notice before engaging additional Sub-Processors
 
 **Database Security:**
 
-- SQL Server auditing (90-day retention)
-- SQL Server vulnerability assessments
-- SQL Server security alerts
+- Database audit logging (90-day retention)
+- Encrypted connections with certificate verification
+- Private network isolation
 
 **Monitoring and Logging:**