docs: add security and compliance with data processing flow

docs/admin/security/index.md

@@ -0,0 +1,85 @@
+---
+id: index
+title: Security & Compliance
+sidebar_label: Security & Compliance
+sidebar_position: 3
+pagination_prev: null
+pagination_next: admin/security/data-processing-storage
+---
+
+# Security & Compliance
+
+Welcome to the AI/Run CodeMie Security & Compliance documentation. This section provides comprehensive information about the platform's security architecture, data processing policies, storage mechanisms, and compliance controls.
+
+## Overview
+
+The CodeMie platform is built with security-first principles, implementing industry-standard encryption, access controls, and data isolation mechanisms. The platform supports deployment in customer-controlled cloud environments, ensuring data sovereignty and compliance with regional data protection regulations.
+
+## Key Security Features
+
+### Data Sovereignty
+
+- **Regional Isolation**: Persistent storage regions are independently configurable (PostgreSQL, Object Storage, KMS/Vault)
+- **Configurable Distribution**: Storage services can be deployed in the same region or distributed across regions based on requirements
+- **Customer-Controlled Infrastructure**: Deploy in your own cloud account with full control over data location
+
+### Encryption
+
+- **Data at Rest**: AES-256 encryption using KMS/Vault
+- **Data in Transit**: TLS 1.2+ for all external communications
+- **Secrets Management**: OAuth tokens, API keys, and credentials encrypted using KMS/Vault
+
+### Access Control
+
+- **Single Sign-On (SSO)**: Integration with enterprise identity providers (Microsoft Entra ID, Okta, Google Workspace, etc.)
+- **Role-Based Access Control (RBAC)**: Role-driven access and permission assignments
+- **Multi-Tenant Isolation**: Data segregation between organizations and teams
+
+### External Service Integration
+
+- **Local-First Architecture**: External service data (Jira, GitHub, Confluence, etc.) is fetched, indexed, and stored locally
+- **Credential Isolation**: External service credentials never leave the platform boundary
+- **OAuth 2.0/SAML**: Industry-standard authentication protocols for external integrations
+
+## Core Security Principles & Architecture
+
+This section describes the fundamental security patterns and practices implemented in the CodeMie platform:
+
+- **[Data Processing & Storage Architecture](./data-processing-storage)**: Detailed explanation of how data flows through the platform, storage layers, and regional distribution
+
+### 1. Defense in Depth
+
+Multiple layers of security controls protect data at every stage:
+
+- Network isolation (VPC, security groups, firewall rules)
+- Application-level authentication and authorization
+- Database-level access controls
+- Encryption at rest and in transit
+
+### 2. Least Privilege
+
+- Service accounts have minimum required permissions
+- External service integrations use read-only access where possible
+
+### 3. Data Minimization
+
+- Only necessary data sent to AI models (prompt + relevant context)
+- External service credentials scoped to minimum required permissions
+- User data isolated by tenant/organization
+
+:::tip Best Practice
+During deployment, ensure that the deployment region is configured to comply with your organization's data residency requirements across all infrastructure components, including the CodeMie platform, LLM services, and external integrations. This is especially critical if your organization has security policies or compliance documentation that govern data processing and storage practices. Coordinate with your security team to verify that all deployed resources respect regional data sovereignty constraints.
+:::
+
+## Getting Help
+
+For security-related questions:
+
+- Review component-specific security documentation
+- Consult your cloud provider's security best practices
+- Contact your support team with security concerns
+- Enable audit logging for security event monitoring
+
+:::warning Security Updates
+Regularly update the CodeMie platform and its components to receive the latest security patches. See the [Update Guide](../update/) for procedures.
+:::

docusaurus.config.ts

@@ -17,6 +17,7 @@ const config: Config = {
   onBrokenLinks: 'throw',
 
   markdown: {
+    mermaid: true,
     hooks: {
       onBrokenMarkdownLinks: 'warn',
     },
@@ -81,6 +82,8 @@ const config: Config = {
     ],
   ],
 
+  themes: ['@docusaurus/theme-mermaid'],
+
   themeConfig: {
     image: 'img/codemie-social-card.jpg',
     navbar: {