Data Isolation and Security Controls
Data Isolation and Security Controls
Logical Isolation
- We leverage row-level security and tenant-specific identifiers to ensure data separation in shared environments.
- Access to data is restricted to authorized users within your organization, enforced by stringent application and database-level permissions.
Encryption
- Data at Rest: Sensitive customer files are encrypted using AES-256 with per-tenant customer-managed keys. All other data is protected by AWS default encryption at rest (for example, S3 default bucket encryption and other service-native encryption).
- Data in Transit: Communications between customers and our platform are secured with TLS to prevent eavesdropping or tampering.
Related platform controls
- DynamoDB, S3, and Static Web Delivery Controls — production table protection, frontend bucket public-access prevention, and browser integrity or cache headers for the web shell.
- Input Sanitization for Tasks and Shell Contexts — validation of task parameters before remote execution.
- VPC, Private Subnets, and Service Connectivity — where application compute runs relative to the public internet.
- AWS WAFv2 for API Protection — edge rate limiting and managed rule visibility on the API.
- Authentication with Amazon Cognito — MFA, password policy, and authentication log retention.
- Scanning Policy: Protected Domains and Blocked Capabilities — static domain deny lists and per-account blocked capabilities.