Data Encryption

ATHENA uses industry-standard encryption for all data, both in transit and at rest.

Encryption in Transit

All network communication uses TLS 1.3:

Layer
Protocol
Cipher Suite

HTTPS

TLS 1.3

AES-256-GCM

Database

TLS 1.2+

AES-128-GCM

Webhooks

TLS 1.2+

AES-256-GCM

Deprecated Protocols:

  • TLS 1.0/1.1: Disabled

  • SSL 2.0/3.0: Disabled

Encryption at Rest

All stored data is encrypted:

Data Type
Encryption
Key Management

Database

AES-256

AWS KMS

API Keys

bcrypt (12 rounds)

Application-level

Webhook Secrets

HMAC-SHA256

Application-level

Backups

AES-256

AWS KMS

API Key Security

API keys are never stored in plaintext:

Best Practices:

  • Store keys in environment variables

  • Never log API keys (we automatically redact)

  • Rotate keys quarterly

Key Rotation

API Keys

Rotate without downtime:

Grace Period: Old key valid for 24 hours

Webhook Secrets

Grace Period: Old secret valid for 24 hours

Database Encryption Keys

  • Managed by AWS KMS

  • Automatic quarterly rotation

  • No customer action required

Data Classification

Classification
Examples
Security Controls

Public

API documentation

None required

Internal

System logs

Authentication

Confidential

Decision data, API keys

Encryption + access controls

Restricted

Customer PII, subgroup data

Encryption + RLS + audit trail

HTTPS Enforcement

All API requests must use HTTPS:

HTTP requests are rejected with 301 redirect.

Certificate Transparency

  • All certificates logged to CT logs

  • Certificate pinning available for Enterprise tier

  • HSTS enabled (max-age: 1 year)

Next: Multi-Tenant Isolation

PreviousOverviewNextMulti-Tenant Isolation

Last updated