Infrastructure Security
Our infrastructure is built on AWS with security as a foundational design principle. Every component is deployed with isolation, encryption, and monitoring in mind.
Infrastructure Architecture
Network Architecture
- VPC design with public and private subnets for strict network segmentation
- Compute and data layers (ECS, RDS) deployed exclusively in private subnets with no direct internet access
- Network Access Control Lists (NACLs) and Security Groups enforce fine-grained traffic rules
- All inter-service communication occurs within the private network
Compute
- Amazon ECS on EC2 instances in private subnets
- No public IP addresses assigned to compute resources
- Container images scanned for vulnerabilities before deployment
- Automated patching and instance refresh policies
Database
- PostgreSQL on EC2 in private subnet
- Multi-AZ deployment for high availability
- Encrypted storage using AES-256 via AWS KMS
- Automated encrypted backups with configurable retention
Edge & CDN
- Amazon CloudFront for frontend delivery with global edge caching
- AWS WAF (Web Application Firewall) with managed rule sets
- AWS Shield Standard for DDoS protection
- TLS 1.2+ enforced on all edge connections
Load Balancing
- Application Load Balancer (ALB) for API traffic routing
- ALB deployed in private subnet, accessible only through CloudFront
- Health checks and automatic failover for backend services
Region Flexibility
- Infrastructure deployed in the client-chosen AWS region
- All data remains within the selected region — no cross-region transfers
- Regional deployment ensures compliance with data residency requirements