Security Posture

• No third-party SaaS in the data path. Identity, automation, inference, storage, and email are all AWS managed services running inside or against the deployment account.
• Encryption in transit — TLS 1.2+ everywhere; certificates are issued and rotated by ACM. Internal traffic between the backend and AWS services traverses VPC endpoints over the AWS backbone.
• Encryption at rest — All persistent stores (RDS, EBS, S3, Secrets Manager, CloudWatch Logs) are encrypted with KMS customer-managed keys.
• Least-privilege IAM — Every component (EC2 instance profile, CI/CD OIDC role, service roles) is granted only the permissions needed to function. No role has wildcard administrative access.
• Network isolation — Application and data tiers run in private subnets with no public IPs. Inbound traffic enters only through the WAF-protected ALB and CloudFront distribution.
• Auditability — Operator shell sessions are recorded by SSM. API access logs (ALB), data-plane logs (CloudWatch), and AWS account activity (CloudTrail, expected to be enabled at the account level by the customer) provide a complete audit trail.
• Secret hygiene — No long-lived AWS credentials are stored in the source repository or on the host. CI/CD authenticates via OIDC; the backend authenticates via the EC2 instance profile.
• Data residency — All customer data, identity records, workflow content, and uploaded artefacts remain within the AWS account and chosen region for the deployment.

See Compliance for the certifications and attestations Ramain holds, and how they map to this posture.