Data Security

Data protection is enforced at every layer through encryption, isolation, and strict access controls.

Encryption at Rest

  • EBS volume encryption using AES-256 via AWS KMS
  • RDS storage encryption enabled by default
  • S3 server-side encryption (SSE-S3 / SSE-KMS) for all stored objects
  • Backup data encrypted with the same standards

Encryption in Transit

  • TLS 1.2+ enforced across all communication paths
  • CloudFront → ALB → ECS: end-to-end encrypted transport
  • Database connections encrypted in transit
  • Internal service-to-service communication encrypted

Data Isolation

  • Each client deployed as a subaccount within the Aurelis Technology AWS Organization
  • Account-level isolation ensures complete data separation between clients
  • No shared databases or storage between client environments
  • Separate encryption keys per client account via AWS KMS

Key Management

  • AWS Key Management Service (KMS) for all encryption key management
  • Automatic key rotation policies
  • Key usage audited via AWS CloudTrail
  • No plaintext keys stored in application code or configuration