In transit
All connections use TLS 1.2+. HSTS is enforced on all production hostnames. Internal AWS service-to-service traffic is also encrypted with the AWS SigV4 signed connection.
At rest
- DynamoDB is encrypted with AWS-managed KMS keys.
- Secrets (M365 / Xero refresh tokens, Stripe API keys) are stored in AWS Secrets Manager with envelope encryption.
- Object storage (backups, attachments) is encrypted with KMS and access is restricted by IAM policy.
Tenant isolation
Every record is keyed by TENANT#<tenantId>. Every Lambda reads the tenantId only from the verified Cognito JWT — never from request input. See our security as-built doc (request a copy if you need it for procurement).