Data Security
Data protection is enforced at every layer through encryption, isolation, and strict access controls.
Encryption at Rest
- EBS volume encryption using AES-256 via AWS KMS
- RDS storage encryption enabled by default
- S3 server-side encryption (SSE-S3 / SSE-KMS) for all stored objects
- Backup data encrypted with the same standards
Encryption in Transit
- TLS 1.2+ enforced across all communication paths
- CloudFront → ALB → ECS: end-to-end encrypted transport
- Database connections encrypted in transit
- Internal service-to-service communication encrypted
Data Isolation
- Each client deployed as a subaccount within the Aurelis Technology AWS Organization
- Account-level isolation ensures complete data separation between clients
- No shared databases or storage between client environments
- Separate encryption keys per client account via AWS KMS
Key Management
- AWS Key Management Service (KMS) for all encryption key management
- Automatic key rotation policies
- Key usage audited via AWS CloudTrail
- No plaintext keys stored in application code or configuration