<aside>
📣 Best practices to ensure secure data transactions
</aside>
Table of Content
Encryption
Encryption standards for storing data at rest
Data at rest is stored in two forms:
- Files are stored in AWS S3 Key-Value Store.
- Data is stored in AWS Relational Data Store (RDS) Database Servers.
File storage is configured with server-side encryption using AES-256 encryption. The storage policy enforces any file uploaded into the storage to be encrypted.
Data in RDS Servers is stored in isolated databases for each user, encrypted at rest using AES-256. All logs, backups and snapshots for a Database Server are encrypted. Database Servers’ stand-by replicas maintained for reliability are also encrypted.
Encryption standards for data in transit
PDS infrastructure uses industry-standard tiered network setup, segregated according to three areas:
- A public subnet reachable from the outside Internet. All communication is encrypted using SSL (HTTPS). Any insecure connections are redirected to HTTPS endpoints. AWS Elastic Load Balancer (ELB) with application (HTTPS) level SSL is configured for load balancing and encrypted connection termination.
- A private subnet where (PDS) Application Servers run, only reachable from inside the public subnet using a limited set of ports (all denied by default, selected ones open) — managed using a combination of explicit routing rules and firewall settings.Communication between the public subnet and the application servers is not encrypted, however it is isolated from the outside and only communication between the SSL-terminating Load Balancers and Application Servers is enabled.
- A database subnet where database servers are placed, only reachable from inside the private subnet using a limited set of ports. Communication between the Application Servers and the Data Servers happens on a private, isolated network.
Is data ever stored in an unencrypted form?
Data in-use is stored in a PostgreSQL database. Such data is not encrypted client-side and is stored in its original form. Data may be cached by an Application Server or a cluster-internal cache server in-memory for a short amount of time to enhance performance.