diff --git a/en/operations/telemetry-export.html b/en/operations/telemetry-export.html
index b738b41bea..ce354222b9 100644
--- a/en/operations/telemetry-export.html
+++ b/en/operations/telemetry-export.html
@@ -54,7 +54,11 @@ <h2 id="how-it-works">How it works</h2>
   <a href="/en/security/secret-store.html">Vespa secret store</a> vault and are referenced from
   <code>services.xml</code> by name only &mdash; never embedded in the application package. They are resolved
   securely and used solely to authenticate the collector to your backend. To enable this, grant
-  <em>infrastructure access</em> to the vault once for your Enclave cloud account.
+  <em>infrastructure access</em> to the vault once for your Enclave cloud account: the collector reads your
+  secret once to set up the export, so the Vespa infrastructure needs read access to it. This access is given
+  to the platform's identity, not to people &mdash; having access to a host does not let anyone read your
+  secret. It stays within your own cloud account, is read-only, and is used only to set up the collector, so
+  your secret is never exposed to others, including Vespa operators.
 </p>
 <img src="/assets/img/telemetry-export-architecture.png"
      alt="Telemetry export architecture: a collector on the Vespa host scrapes metrics