Platform Security
Infrastructure security, encryption standards, and compliance certifications for the Sazabi platform.
Sazabi runs on secure, modern infrastructure with multiple layers of protection. This page covers our infrastructure design, encryption practices, and compliance posture.
Infrastructure
Cloud provider
Sazabi runs on Amazon Web Services (AWS) in multiple regions. AWS provides robust physical security, network isolation, and compliance certifications that form the foundation of our security posture.
Regional deployment
We deploy infrastructure across multiple AWS regions:
- US West (us-west-2): Primary region for US customers
- US East (us-east-1): Additional US region
- EU Central (eu-central-1): EU data residency option
This multi-region deployment provides:
- Low latency: Data ingestion endpoints close to your infrastructure
- Availability: Redundancy across availability zones within each region
- Data residency: Options for keeping data in specific geographic regions
Encryption
In transit
All data transmitted to and from Sazabi is encrypted using TLS 1.3. This applies to:
- Log and telemetry ingestion APIs
- Dashboard and web application access
- API requests and responses
- Internal service-to-service communication
We enforce HTTPS and do not support unencrypted connections.
At rest
All stored data is encrypted using AES-256 encryption:
| Data type | Encryption method |
|---|---|
| Log data | AES-256 (ClickHouse encryption) |
| Configuration | AES-256 (Supabase encryption) |
| Secrets & API keys | AES-256 via AWS KMS |
| File storage | AES-256 (S3 SSE) |
Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation enabled.
Network security
VPC isolation
All Sazabi services run within isolated Virtual Private Clouds (VPCs):
- Private subnets for databases and internal services
- Public subnets only for load balancers and API gateways
- Network ACLs and security groups restrict traffic flow
- No direct internet access for internal services
Firewall and access control
- Web Application Firewall (WAF): Protects against common web exploits including SQL injection, XSS, and Log4j vulnerabilities using AWS managed rule sets
- DDoS protection: AWS Shield Standard provides automatic DDoS mitigation
- Rate limiting: API endpoints enforce rate limits to prevent abuse
Vulnerability management
Security scanning
We continuously scan our infrastructure and applications for vulnerabilities:
- Dependency scanning: Automated scanning of all third-party dependencies
- Container scanning: Images are scanned before deployment
- Infrastructure scanning: Regular scans of cloud configurations
- Penetration testing: Annual third-party penetration tests
Patch management
We apply security patches promptly:
- Critical vulnerabilities: Patched within 24 hours
- High severity: Patched within 7 days
- Medium and low: Patched within 30 days
Security monitoring
Threat detection
We monitor for security threats using:
- Centralized logging of all infrastructure and application events
- Automated alerting on suspicious patterns
- 24/7 on-call response for security incidents
Incident response
Our incident response process includes:
- Detection: Automated monitoring and alerting
- Triage: Assessment of scope and impact
- Containment: Isolate affected systems
- Eradication: Remove the threat
- Recovery: Restore normal operations
- Post-mortem: Document lessons learned
We notify affected customers within 72 hours of confirming a data breach, in accordance with GDPR requirements.
Compliance
SOC 2 Type II
SOC 2 Type II certification is in progress. Contact us for our current SOC 2 Type I report.
We are pursuing SOC 2 Type II certification covering:
- Security
- Availability
- Confidentiality
GDPR
Sazabi complies with the General Data Protection Regulation (GDPR):
- Data processing agreements available for all customers
- EU data residency options
- Support for data subject access requests
- Right to erasure (data deletion) support
See Data Privacy for details on GDPR compliance.