diff --git a/docs/cloud/index.mdx b/docs/cloud/index.mdx
index 5212aa697..ecd2f44de 100644
--- a/docs/cloud/index.mdx
+++ b/docs/cloud/index.mdx
@@ -46,7 +46,7 @@ All of Sourcegraph's features are available on Sourcegraph Cloud instances out-o
 
 ### Regular upgrades and maintenance
 
-- Automatic [upgrades](/admin/updates/) when a new Souregraph version is released and maintenance when security patches are needed.
+- Automatic [upgrades](/admin/updates/) when a new Sourcegraph version is released and maintenance when security patches are needed.
 - Regular reassessment of resource utilization based on your organization's unique usage to determine if costs can be reduced without impact to service. Additionally, you will automatically benefit from any committed use cloud provider discounts we receive.
 
 ### Custom domains
@@ -54,7 +54,7 @@ All of Sourcegraph's features are available on Sourcegraph Cloud instances out-o
 Sourcegraph Cloud provides all customer instances a `customer.sourcegraphcloud.com` domain. This domain is fully managed by Sourcegraph, including DNS and HTTPS.
 However, to provide better branding and a more seamless experience for your users, you may bring your own company domain, for example `sourcegraph.company.io`.
 
-In order to use your own domain, you need to perform an one-time setup by adding DNS records at your authoritative DNS. These DNS records are neccessary to ensure that your users can access your Sourcegraph instance via the custom domain, and also to ensure we can provide managed TLS certificates for your instance. See a [list of DNS records to be created by your organization](#dns-records-to-be-created-by-your-organization) below as an example. Additionally, your custom domain's [CAA records](https://blog.cloudflare.com/caa-of-the-wild/) should permit our upstream certificate authorities to issue certificates for your domain, follow the [instructions](#verify-caa-records) below to verify your CAA records.
+In order to use your own domain, you need to perform an one-time setup by adding DNS records at your authoritative DNS. These DNS records are necessary to ensure that your users can access your Sourcegraph instance via the custom domain, and also to ensure we can provide managed TLS certificates for your instance. See a [list of DNS records to be created by your organization](#dns-records-to-be-created-by-your-organization) below as an example. Additionally, your custom domain's [CAA records](https://blog.cloudflare.com/caa-of-the-wild/) should permit our upstream certificate authorities to issue certificates for your domain, follow the [instructions](#verify-caa-records) below to verify your CAA records.
 
 Please reach out to your Sourcegraph account team to request a custom domain to be configured for your Sourcegraph Cloud instance.
 
@@ -96,9 +96,9 @@ More details about the locations and data storage can be found in [our handbook]
 
 ### Private Connectivity
 
-Sourcegraph Cloud can connect to resources that are publically accessible or protected by IP-based firewall rules out-of-the-box. Sourcegraph can provide static IP addresses for customers to add to their firewall allowlist. Please let your account team know.
+Sourcegraph Cloud can connect to resources that are publicly accessible or protected by IP-based firewall rules out-of-the-box. Sourcegraph can provide static IP addresses for customers to add to their firewall allowlist. Please let your account team know.
 
-Private Connectivity enables customers to privately connect Private Resources to the Sourcegraph Cloud instance. Private Resources refer to services that are not publicly accessible, such as self-hosted GitHub Enterprise servers, self-hosted GitLab instances, self-hosted Nexus instance, or Jira Data Center deployed in a private network that are only accessible through VPN. Learn more about Private Connectvity support below:
+Private Connectivity enables customers to privately connect Private Resources to the Sourcegraph Cloud instance. Private Resources refer to services that are not publicly accessible, such as self-hosted GitHub Enterprise servers, self-hosted GitLab instances, self-hosted Nexus instance, or Jira Data Center deployed in a private network that are only accessible through VPN. Learn more about Private Connectivity support below:
 
 - [Private Resources on AWS via AWS Private Link](/cloud/private_connectivity_aws)
 - [Private Resources on GCP via GCP Private Service Connect](/cloud/private_connectivity_gcp)
@@ -170,9 +170,9 @@ To learn more about how the Sourcegraph team operates managed SMTP internally, r
 > NOTE: We may be able to [support special requests](#accommodating-special-requirements), please reach out to your account team.
 
 - The Sourcegraph instance can only be accessible via a public IP. Running it in a private network and pairing it with your private network via site-to-site VPN or VPC Peering is not yet supported.
-- Code hosts or user authentication providers running in a private network are not yet supported. They have to be publically available or they must allow incoming traffic from Sourcegraph-owned static IP addresses. We do not have proper support for other connectivity methods, e.g. site-to-site VPN, VPC peering, tunneling.
+- Code hosts or user authentication providers running in a private network are not yet supported. They have to be publicly available or they must allow incoming traffic from Sourcegraph-owned static IP addresses. We do not have proper support for other connectivity methods, e.g. site-to-site VPN, VPC peering, tunneling.
 - Instances currently run only on Google Cloud Platform in the [chosen regions](#multiple-region-availability). Other regions and cloud providers (such as AWS or Azure) are not yet supported.
-- Some [configuration options](/admin/config/) are managed by Sourcegrpah and cannot be override by customers, e.g. feature flags, experimental features.
+- Some [configuration options](/admin/config/) are managed by Sourcegraph and cannot be overridden by customers, e.g. feature flags, experimental features.
 
 ## Security
 
@@ -186,7 +186,7 @@ Only essential Sourcegraph personnel will have access to the instance, server, c
 
 ### Sourcegraph management access
 
-[Sourcegraph management access](https://handbook.sourcegraph.com/departments/cloud/technical-docs/oidc_site_admin/) is the ability for Sourcergaph employees to grant time-bound and audit-trailed UI access to Cloud instances in the events of instance maintenance, issue troubleshooting, and customer assistance. Customer consent is guaranteed prior to human accesses.
+[Sourcegraph management access](https://handbook.sourcegraph.com/departments/cloud/technical-docs/oidc_site_admin/) is the ability for Sourcegraph employees to grant time-bound and audit-trailed UI access to Cloud instances in the events of instance maintenance, issue troubleshooting, and customer assistance. Customer consent is guaranteed prior to human accesses.
 
 All Sourcegraph Cloud instances have Sourcegraph management access enabled by default, and customers may request to disable by contacting your Sourcegraph contact.
 
diff --git a/docs/cloud/private_connectivity_aws.mdx b/docs/cloud/private_connectivity_aws.mdx
index 2c8243d21..e4216cd2b 100644
--- a/docs/cloud/private_connectivity_aws.mdx
+++ b/docs/cloud/private_connectivity_aws.mdx
@@ -1,8 +1,8 @@
 # Code hosts on AWS without public access
 
-<Callout type="info">Please contact Sourcegraph directly via [prefered contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
+<Callout type="info">Please contact Sourcegraph directly via [preferred contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
 
-As part of the [Enterprise tier](https://sourcegraph.com/pricing), Sourcegraph Cloud supports connecting customer private resouces on AWS using [AWS Private Link](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) and managed [site-to-site VPN](https://cloud.google.com/network-connectivity/docs/vpn/tutorials/create-ha-vpn-connections-google-cloud-aws) solution between GCP (where Sourcegraph Cloud instances are hosted) and AWS, so that access to the private resource is secure and without the need to expose it to the public internet.
+As part of the [Enterprise tier](https://sourcegraph.com/pricing), Sourcegraph Cloud supports connecting customer private resources on AWS using [AWS Private Link](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) and managed [site-to-site VPN](https://cloud.google.com/network-connectivity/docs/vpn/tutorials/create-ha-vpn-connections-google-cloud-aws) solution between GCP (where Sourcegraph Cloud instances are hosted) and AWS, so that access to the private resource is secure and without the need to expose it to the public internet.
 
 ## How it works
 
@@ -21,24 +21,24 @@ Sourcegraph Cloud is a managed service hosted on GCP. Sourcegraph creates a secu
 
 ### Initiate the process
 
-Customer should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
+Customers should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
 
 - The DNS name of the private code host, e.g. `github.internal.company.net` or private artifact registry, e.g. `artifactory.internal.company.net`.
 - The region of the private resource on AWS, e.g. `us-east-1`.
-- The type of the TLS certificate used by the private resource, one of self-signed by internal private CA, or issued by a public CA.
-- The VPC endpoint serivce name in the format of `com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>`. Learn more from [create the VPC Endpoint Service](#create-the-vpc-endpoint-service).
+- The type of TLS certificate used by the private resource: either self-signed by an internal private CA or issued by a public CA.
+- The VPC endpoint service name in the format of `com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>`. Learn more from [create the VPC Endpoint Service](#create-the-vpc-endpoint-service).
 
 ### Create the VPC Endpoint Service
 
 When a customer has private resources inside the AWS VPC and needs to expose it for Sourcegraph managed AWS VPC, customers can follow [AWS Documentation](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html). An example can be found from our [handbook](https://handbook.sourcegraph.com/departments/cloud/technical-docs/private-code-hosts/#aws-private-link-playbook-for-customer).
 
-Sourcegraph will provide the Sourcegraph-managed AWS account ARN that needs to be allowlist in your VPC endpoint service, e.g., `arn:aws:iam::$accountId:root`. It must be allowlisted by customer before the connection can be established. Notes: The AWS account is created exclusively for individual Cloud customers and not shared with others.
+Sourcegraph will provide the Sourcegraph-managed AWS account ARN that needs to be allowlisted in your VPC endpoint service, e.g., `arn:aws:iam::$accountId:root`. It must be allowlisted by customer before the connection can be established. Note: The AWS account is created exclusively for individual Cloud customers and not shared with others.
 
 The customer needs to share the following details with Sourcegraph:
 
-- VPC endpoint serivce name in the format of `com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>`.
+- VPC endpoint service name in the format of `com.amazonaws.vpce.<REGION>.<VPC_ENDPOINT_SERVICE_ID>`.
 
-Upon receiving the details, Sourcegraph will create a connection to the customer's private resource. The customer may need to manually accept the connection request depending on theirs [acceptance settings](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). Sourcegraph will follow up with the customer to confirm the connection is established.
+Upon receiving the details, Sourcegraph will create a connection to the customer's private resource. The customer may need to manually accept the connection request depending on their [acceptance settings](https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests). Sourcegraph will follow up with the customer to confirm the connection is established.
 
 ### Create the private resource connection
 
@@ -46,7 +46,7 @@ Once the connection to private code host is established, the customer can create
 
 ### Verify artifact registries are working
 
-Once the connection to private artifact registry is established, customer might then verify that auto-indexing is working with private artifact registry by [configuring auto-indexing](/code-search/code-navigation/auto_indexing#configure-auto-indexing)
+Once the connection to private artifact registry is established, customer might then verify that auto-indexing is working with the private artifact registry by [configuring auto-indexing](/code-search/code-navigation/auto_indexing#configure-auto-indexing)
 
 ## FAQ
 
@@ -67,20 +67,20 @@ Advantages of the site-to-site GCP to AWS VPN include:
 
 ### How can I restrict access to my private resource?
 
-The customer has full control over the exposed service and they can may terminate the connection at any point.
+The customer has full control over the exposed service and they may terminate the connection at any point.
 
 ### What are the next steps when artifact registry connectivity is working?
 
-Only if private artifact registry is protected by authentication, the customer will need to:
+Only if the private artifact registry is protected by authentication, the customer will need to:
 - create executor secrets containing credentials for Sourcegraph to access the private artifact registry - [how to configure executor secrets](/admin/executors/executor_secrets#executor-secrets)
-- update auto-indexing inference configuration to create additional files from executor secrets for given programing language - [how to configure auto-indexing](/code-search/code-navigation/inference_configuration)
+- update auto-indexing inference configuration to create additional files from executor secrets for given programming language - [how to configure auto-indexing](/code-search/code-navigation/inference_configuration)
 
 ### Can I use self-signed TLS certificate for my private resources?
 
 Yes. Please work with your account team to add the certificate chain of your internal CA to [site configuration](/admin/config/site_config#experimentalFeatures) at `experimentalFeatures.tls.external.certificates`.
 
-### What is the disater recovery plan?
+### What is the disaster recovery plan?
 
 For customers with a disaster recovery plan that can failover the private resource deployment to another region, we recommend the customer to provision VPC endpoint services in the failover region and share the details with Sourcegraph during the onboarding process. In the event of an incident, the customer can reach out to support and request Sourcegraph to failover the connection to the failover region.
 
-For disater recovery plan of Sourcegraph Cloud, please reach out to your account team for more information.
+For disaster recovery plan of Sourcegraph Cloud, please reach out to your account team for more information.
diff --git a/docs/cloud/private_connectivity_gcp.mdx b/docs/cloud/private_connectivity_gcp.mdx
index a142fc850..b31eb4202 100644
--- a/docs/cloud/private_connectivity_gcp.mdx
+++ b/docs/cloud/private_connectivity_gcp.mdx
@@ -1,6 +1,6 @@
 # Code hosts on GCP without public access
 
-<Callout type="info">Please contact Sourcegraph directly via [prefered contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
+<Callout type="info">Please contact Sourcegraph directly via [preferred contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
 
 As part of the [Enterprise tier](https://sourcegraph.com/pricing), Sourcegraph Cloud supports connecting to customer dependencies on GCP using [GCP Private Service Connect](https://cloud.google.com/vpc/docs/private-service-connect). It creates a secure connection between customer GCP project and Sourcegraph Cloud instance, so that access to a private resource never occurs over the public internet.
 
@@ -29,11 +29,11 @@ Cross-region connectivity is not supported by Google Cloud for [Private Service
 
 ### Initiate the process
 
-Customer should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
+Customers should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
 
 - The DNS name of the private code host, e.g., `gitlab.internal.company.net`.
 - The region of the private code host on GCP, e.g., `us-central1`.
-- The type of the TLS certificate used by the private code host, one of self-signed by internal private CA, or issued by a public CA.
+- The type of TLS certificate used by the private resource: either self-signed by an internal private CA or issued by a public CA.
 - The location of where the TLS connection is terminated, one of the load balancer, or the private code host node.
 
 Finally, Sourcegraph will provide the following:
@@ -41,9 +41,9 @@ Finally, Sourcegraph will provide the following:
 - A reference architecture in Terraform to demonstrate the setup on customer end.
 - The GCP Project ID of the Sourcegraph Cloud instance.
 
-### Create Private Serivce Connect connection
+### Create Private Service Connect connection
 
-Customer should publish their services using PSC by follow [GCP documentation](https://cloud.google.com/vpc/docs/configure-private-service-connect-producer). The customer needs to [permit connection](https://cloud.google.com/vpc/docs/manage-private-service-connect-services#access) from the provided GCP Project ID earlier. The customer needs to provide the [Service Attachment] URI to Sourcegraph. The Service Attachment URI is in the format of `projects/:id/regions/:region/serviceAttachments/:name`.
+Customer should publish their services using PSC by following the [GCP documentation](https://cloud.google.com/vpc/docs/configure-private-service-connect-producer). The customer needs to [permit connection](https://cloud.google.com/vpc/docs/manage-private-service-connect-services#access) from the provided GCP Project ID earlier. The customer needs to provide the [Service Attachment] URI to Sourcegraph. The Service Attachment URI is in the format of `projects/:id/regions/:region/serviceAttachments/:name`.
 
 Upon receiving the Service Attachment URI, Sourcegraph will create a connection to the customer service using PSC, and Sourcegraph will follow up with the customer to confirm the connection is established.
 
@@ -53,7 +53,7 @@ Once the connection is established, the customer can create the [code host conne
 
 ### Verify artifact registries are working
 
-Once the connection to private artifact registry is established, customer might then verify that auto-indexing is working with private registry dependecies by [configuring auto-indexing](/code-search/code-navigation/auto_indexing#configure-auto-indexing)
+Once the connection to private artifact registry is established, customer might then verify that auto-indexing is working with private registry dependencies by [configuring auto-indexing](/code-search/code-navigation/auto_indexing#configure-auto-indexing)
 
 ## FAQ
 
@@ -75,9 +75,9 @@ All traffic between the producer and consumer is encrypted in transit. You may l
 
 ### What are the next steps when artifact registry connectivity is working?
 
-Only if private artifact registry is protected by authentication, the customer will need to:
-- create executor secrets containing credentials for Sourcegraph to access the private artifact registry - [how to configure executor secrets](/admin/executors/executor_secrets#executor-secrets)
-- update auto-indexing inference configuration to create additional files from executor secrets for given programing language - [how to configure auto-indexing](/code-search/code-navigation/inference_configuration)
+Only if the private artifact registry is protected by authentication, the customer will need to:
+- Create executor secrets containing credentials for Sourcegraph to access the private artifact registry - [how to configure executor secrets](/admin/executors/executor_secrets#executor-secrets)
+- Update auto-indexing inference configuration to create additional files from executor secrets for the given programming language - [how to configure auto-indexing](/code-search/code-navigation/inference_configuration)
 
 ### Can I use self-signed TLS certificate for my private resources?
 
diff --git a/docs/cloud/private_connectivity_public_lb.mdx b/docs/cloud/private_connectivity_public_lb.mdx
index 9dd56f9a6..e41849843 100644
--- a/docs/cloud/private_connectivity_public_lb.mdx
+++ b/docs/cloud/private_connectivity_public_lb.mdx
@@ -1,14 +1,14 @@
 # Private Resources exposed via alternate public load balancers
 
-<Callout type="info">Please contact Sourcegraph directly via [prefered contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
+<Callout type="info">Please contact Sourcegraph directly via [preferred contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
 
-As part of the [Enterprise tier](https://about.sourcegraph.com/pricing), Sourcegraph Cloud supports connecting customer private dependecies from customer data center via public load balancer on customer side.
+As part of the [Enterprise tier](https://about.sourcegraph.com/pricing), Sourcegraph Cloud supports connecting customer private dependencies from customer data center via public load balancer on customer side.
 
-> For private dependecies in AWS or GCP, please refer to [other deployment methods](/cloud#private-connectivity)
+> For private dependencies in AWS or GCP, please refer to [other deployment methods](/cloud#private-connectivity)
 
 ## How it works
 
-Sourcegraph Cloud is a managed service hosted on GCP. Customer will expose private resource via load balancer with IP allowlist for 2 static IPs provided by Sourcegraph. Sourcegraph will then be able to access the private resource over HTTPS through the load balancer from the GCP project hosting Sourcegraph Cloud. Sourcegraph recommends to setup passthrough TCP network load balancer to avoid maintaining valid TLS certificate on the network load balancer
+Sourcegraph Cloud is a managed service hosted on GCP. Customers will expose private resources via a load balancer with an IP allowlist for 2 static IPs provided by Sourcegraph. Sourcegraph will then be able to access the private resource over HTTPS through the load balancer from the GCP project hosting Sourcegraph Cloud. Sourcegraph recommends setting up a passthrough TCP network load balancer to avoid maintaining a valid TLS certificate on the network load balancer.
 
 [link](https://link.excalidraw.com/readonly/gc6P8SDOEMCcrIl9cl64)
 
@@ -25,31 +25,31 @@ Sourcegraph Cloud is a managed service hosted on GCP. Customer will expose priva
 
 Customer should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
 
-- The private DNS name of the private resource, e.g. `github.internal.company.net`. Notes, this is the DNS name customer users interact on a daily basis.
+- The private DNS name of the private resource, e.g. `github.internal.company.net`. Note: this is the DNS name customer users interact on a daily basis.
 - The public DNS name of the network load balancer exposing the private resource, e.g. `github-public-nlb.company.net`.
 
 Sourcegraph will provide 2 static IPs for customer to allowlist ingress traffic for load balancer.
 
 ## FAQ
 
-### Why passthrough TCP network load balancer?
+### Why a passthrough TCP network load balancer?
 
-With passthrough network load balancer, the load balancer acts as a simple network proxy to forward traffic to the backend private resource without terminating TLS. This avoids the need to install additional TLS certificate on the network load balancer, reducing opertional overhead.
+With a passthrough network load balancer, the load balancer acts as a simple network proxy to forward traffic to the backend private resource without terminating TLS. This avoids the need to install additional TLS certificate on the network load balancer, reducing operational overhead.
 
-In the event you have to use a proxy network load balancer or an application (L7) load balancer with a TLS listener, the load balancer must meet the following requirements:
+In the event you need to use a proxy network load balancer or an application (L7) load balancer with a TLS listener, the load balancer must meet the following requirements:
 
-- Present valid TLS certificates valid for both public and private dns name.
-- Forward traffic to the private resource regardless public or private dns name is used to access the load balancer
+- Present valid TLS certificates valid for both public and private DNS name
+- Forward traffic to the private resource regardless public or private DNS name is used to access the load balancer
 
-Assuming your private resources is a web service listening at port `443`, you can validate your setup:
+Assuming your private resource is a web service listening at port `443`, you can validate your setup:
 
 ```sh
 curl --connect-to github.internal.company.net:443:github-public-nlb.company.net:443 https://github.internal.company.net
 ```
 
-### Can I use my internal dns name for artifact registry?
+### Can I use my internal DNS name for artifact registry?
 
-Yes, customer can expose their private registry with internal DNS name. Sourcegraph will provision dns-proxy, which translates customer private domain to public customer load balancer domain. No changes in customer configuration are required.
+Yes, customers can expose their private registry with an internal DNS name. Sourcegraph will provision dns-proxy, which translates the customer's private domain to public customer load balancer domain. No changes in customer configuration are required.
 
 ### How secure is the connection?
 
@@ -65,7 +65,7 @@ Once the connection is established, the customer can create the [code host conne
 If private artifact registry is protected by authentication, the customer will need to:
 
 - Create executor secrets containing credentials for Sourcegraph to access the private artifact registry - [how to configure executor secrets](/admin/executors/executor_secrets#executor-secrets)
-- Update auto-indexing inference configuration to create additional files from executor secrets for given programing language - [how to configure auto-indexing](/code-search/code-navigation/inference_configuration)
+- Update auto-indexing inference configuration to create additional files from executor secrets for given programming language - [how to configure auto-indexing](/code-search/code-navigation/inference_configuration)
 
 ### Can I use self-signed TLS certificate for my private resources?
 
diff --git a/docs/cloud/private_connectivity_sourcegraph_connect.mdx b/docs/cloud/private_connectivity_sourcegraph_connect.mdx
index 12f969ee0..ec09ca9bb 100644
--- a/docs/cloud/private_connectivity_sourcegraph_connect.mdx
+++ b/docs/cloud/private_connectivity_sourcegraph_connect.mdx
@@ -1,6 +1,6 @@
 # Private Resources on on-prem data center via Sourcegraph Connect agent
 
-<Callout type="note">This feature is in the Experimental stage. Please contact Sourcegraph directly via [prefered contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
+<Callout type="note">This feature is in the Experimental stage. Please contact Sourcegraph directly via [preferred contact method](https://about.sourcegraph.com/contact) for more information.</Callout>
 
 As part of the [Enterprise tier](https://sourcegraph.com/pricing), Sourcegraph Cloud supports connecting private resources on any on-prem private network by running Sourcegraph Connect tunnel agent in customer infrastructure.
 
@@ -10,7 +10,7 @@ Sourcegraph will set up a tunnel server in a customer dedicated GCP project. Cus
 
 Sourcegraph Connect consists of three major components:
 
-Tunnel agent: deployed inside customer network, which uses its own identity and encrypts traffic between customer code host and client. Agent can only communicate with permitted customer code hosts inside the customer network. Only agents are allowed to establish secure connections with tunnel server, the server can only accept connections if agent identity is approved.
+Tunnel agent: deployed inside the customer network, which uses its own identity and encrypts traffic between the customer code host and client. Agent can only communicate with permitted customer code hosts inside the customer network. Only agents are allowed to establish secure connections with tunnel server, the server can only accept connections if agent identity is approved.
 
 Tunnel server: a centralized broker between client and agent managed by Sourcegraph. Its purpose is to set up mTLS, proxy encrypted traffic between clients and agents and enforce ACL.
 
@@ -33,7 +33,7 @@ Customer should reach out to their account manager to initiate the process. The
 
 - The DNS name of the private code host, e.g. `gitlab.internal.company.net` or private artifact registry, e.g. `artifactory.internal.company.net`.
 - The port of the private code host, e.g., `443`, `80`, `22`.
-- The type of the TLS certificate used by the private resource, one of self-signed by internal private CA, or issued by a public CA.
+- The type of TLS certificate used by the private resource: either self-signed by an internal private CA or issued by a public CA.
 
 Finally, Sourcegraph will provide the following:
 
@@ -61,11 +61,11 @@ Connections between the tunnel agent inside customer network and a tunnel server
 
 Both tunnel clients and agents are assigned an identity corresponding to a GCP Service Account, and they are provided credentials to prove such identity. For tunnel agents, a Service Account key is distributed to the customer. For tunnel clients, it will utilize Workload Identity to prove its identity. They use them to authenticate against tunnel server by sending signed JWT tokens and public key. JWT token contains information about GCP service account credential public key required to validate signature and confirm identity of requestor. The server will then sign the requestor public key and respond with a signed certificate containing GCP Service Account email as a Subject Alternative Name (SAN).
 
-Finally, if the customer NAT Gateway/Exit Gateway has stable CIDRs, we can provision firewall rules to restrict access to the tunnel server from the provided IP ranges only for added layer of security.
+Finally, if the customer NAT Gateway/Exit Gateway has stable CIDRs, we can provision firewall rules to restrict access to the tunnel server from the provided IP ranges only for an added layer of security.
 
 ### How do you enforce authorization to restrict what requests can reach the private code host?
 
-The tunnel server is configured with ACLs. With mTLS every entity in the network has its own identity. Client identity is used as a source for accessing customer private code hosts, while agents identity is used for destination. Tunnel server ensures that only clients with proved identity can communicate with customer tunnel agents.
+The tunnel server is configured with ACLs. With mTLS every entity in the network has its own identity. The client's identity is used as a source for accessing customer private code hosts, while the agent's identity is used for destination. Tunnel server ensures that only clients with proven identity can communicate with customer tunnel agents.
 
 ### Do you rotate the encryption keys?
 
@@ -75,7 +75,7 @@ Encryption keys are short-lived and both tunnel agents and clients have to refre
 
 We utilize GCP Certificate Authority Service (CAS), a managed Public Key Infrastructure (PKI) service. It is responsible for the storage of all signing keys (e.g., root CAs, immediate CAs), and the signing of client certificates. Access to GCP CAS is governed by GCP IAM service and only necessary services or individuals will have access to the service with audit trails in GCP Logging.
 
-The TLS private key on the tunnel agent or tunnel clients only exist in memory, and never shares with other party. Only the public key is sent to the tunnel server to issue a signed certificate to establish mTLS connection.
+The TLS private key on the tunnel agent or tunnel clients only exist in memory, and are never shared with other parties. Only the public key is sent to the tunnel server to issue a signed certificate to establish mTLS connection.
 
 ### How do you audit access?
 
@@ -87,18 +87,18 @@ The tunnel is built using TCP over gRPC. gRPC is a high-performant and battle-te
 
 ### How many agents can a customer start?
 
-To obtain high availability customer can start multiple tunnel agents. Each of the agents will use the same GCP Service Account credentials, authenticate with the tunnel server and establish connection to it. Tunnel client will randomly select an available agent to forward the traffic.
+To obtain high availability, customers can start multiple tunnel agents. Each of the agents will use the same GCP Service Account credentials, authenticate with the tunnel server and establish connection to it. Tunnel client will randomly select an available agent to forward the traffic.
 
 ### How does the customer configure the network to make the agent work?
 
-Customer tunnel agent has to authenticate and establish connection with the tunnel server. Sourcegraph will provide a single dedicated static IP from customer dedicated GCP VPC which is used to connect with the tunnel server. Customer has to configure network egress to allow TCP (HTTP/2) traffic access to this static IP.
+The customer tunnel agent has to authenticate and establish connection with the tunnel server. Sourcegraph will provide a single dedicated static IP from customer dedicated GCP VPC which is used to connect with the tunnel server. Customer has to configure network egress to allow TCP (HTTP/2) traffic access to this static IP.
 
 ### How can I restrict access to my private code host connection?
 
 The customer has full control over the tunnel agent configuration and they can terminate the connection at any time.
 What if the attacker gains access to the frontend?
 
-In the event of an attacker gaining access to the sourcegraph containers, we consider this to be a security breach and we have Incident response processes in place that we will follow. However, we have many controls in place to prevent this from happening where Cloud infrastructure access always requires approval and the Security team is on-call for unexpected usage patterns. You may learn more from our [Security Portal](https://security.sourcegraph.com/).
+In the event of an attacker gaining access to the Sourcegraph containers, we consider this to be a security breach and we have Incident response processes in place that we will follow. However, we have many controls in place to prevent this from happening where Cloud infrastructure access always requires approval and the Security team is on-call for unexpected usage patterns. You may learn more from our [Security Portal](https://security.sourcegraph.com/).
 
 Please reach out to us if you have any specific questions regarding our Cloud security posture, and we are happy to provide more detail to address your concerns.
 
@@ -108,7 +108,7 @@ We recommend using an allowlist to limit the egress traffic of the agent to IP a
 
 ### How can I audit the data Sourcegraph has access to in my environment?
 
-The tunnel is secured and authenticated by mTLS over gRPC, and everything is encrypted over transit. If customer is looking to perform audit, such as, TLS inspection, on the connection between the private resources and Sourcegraph Cloud. We recommend to only intercept and inspect traffic between the tunnel agent and private resources. The connection between the tunnel agent and Sourcegraph Cloud is using a custom protocol, and the decrypted payload has very little value.
+The tunnel is secured and authenticated by mTLS over gRPC, and everything is encrypted over transit. If a customer is looking to perform an audit, such as TLS inspection, on the connection between the private resources and Sourcegraph Cloud, we recommend only intercepting and inspecting traffic between the tunnel agent and private resources. The connection between the tunnel agent and Sourcegraph Cloud is using a custom protocol, and the decrypted payload has very little value.
 
 ### Can I use self-signed TLS certificate for my private resources?