Company logoHelp Center
Visit braidfi.com

Overview of Data Encryption and Protection Across Our Infrastructure

3 min. readlast update: 03.26.2025

To ensure the confidentiality, integrity, and availability of customer and system data, we have implemented encryption at both rest and transit across all critical components in our infrastructure. Our setup is aligned with AWS security best practices and includes FIPS-compliant endpoints where appropriate.

This document provides a high-level summary of the current encryption strategy, with particular emphasis on our dashboard’s public endpoint, which is fully FIPS-compliant.

Public Dashboard (FIPS-Compliant)

  • Our customer-facing dashboard is served through an Application Load Balancer with the ELBSecurityPolicy-TLS13-1-2-FIPS-2023-04 policy.
  • This ensures TLS 1.2 and 1.3 only, using FIPS-validated cryptographic modules.
  • HTTPS is enforced with automatic redirection from HTTP.
  • The SSL certificate is managed by AWS Certificate Manager (ACM) with automatic renewal.
  • Result: All external connections to our dashboard meet U.S. government-grade encryption standards.

API & Webhook Endpoints

  • All endpoints are encrypted in transit using TLS 1.2.
  • Certificates are RSA 2048-bit, signed with SHA-256, and issued by ACM.
  • Endpoints are edge-optimized using Amazon CloudFront for low latency and global reach.

RDS (Database) Encryption

  • RDS storage is encrypted at rest using AES-256 via an AWS-managed KMS key.
  • Backups, snapshots, and automated failovers are encrypted with the same key.
  • Key rotation and auditing are handled by AWS.
  • Encryption is always-on and cannot be disabled.

S3 (Object Storage) Encryption

  • Customer documents stored in S3 are encrypted at rest using SSE-S3 (server-side encryption with Amazon S3–managed keys).
  • Versioning is enabled, allowing object recovery from accidental changes.
  • Access logs are recorded and stored in a dedicated logging bucket.

SFTP Connection to Bank

To manage file transfers with the bank, the application establishes a secure SFTP connection using RSA 2048-bit key pairs.

  • The public/private key pair is generated automatically from the system.
  • The public key is shared with the bank to allow authentication.
  • The private key is securely stored in AWS Secrets Manager and never leaves the environment.
  • Only encrypted SFTP sessions are allowed, ensuring data is protected in transit.
  • A fixed public IP is used for all outbound SFTP connections, allowing the bank to whitelist the IP for added security.
  • Result: All file transfers between AWS and SFTP server are secured using industry-standard encryption.

Key Takeaways

  • All critical services are protected by strong encryption, using TLS 1.2+ in transit and AES-256 at rest.
  • The public dashboard endpoint is FIPS-compliant, meeting strict federal cryptography standards.
  • SFTP file transfers to the bank are secured using RSA 2048-bit key pairs and encrypted sessions.
  • AWS-managed keys provide secure, low-maintenance encryption with full integration into AWS CloudTrail for auditability.
  • The architecture follows AWS’s "Secure by Default" model, reducing operational risk and maintaining a strong security baseline without manual overhead.
Was this article helpful?