Encryption in Transit
All data transmitted between your applications and ABV is encrypted using Transport Layer Security (TLS).What is TLS?
What is TLS?
TLS (Transport Layer Security) is the industry-standard protocol for encrypting network communications. It’s the same technology that secures your banking websites, email, and other sensitive online services.When your application sends data to ABV:
- A secure TLS connection is established using modern cryptographic algorithms
- Data is encrypted before transmission
- Only ABV’s servers can decrypt the data using their private keys
- Anyone intercepting the network traffic sees only encrypted gibberish
ABV supports TLS 1.2 and TLS 1.3, using strong cipher suites and forward secrecy to protect against future decryption attempts.
What Gets Encrypted in Transit
What Gets Encrypted in Transit
Every communication between your application and ABV is encrypted:
- SDK Traffic: All data sent from ABV SDKs (Python, TypeScript/JavaScript) to ABV servers
- API Requests: All REST API calls to ABV’s platform APIs
- Dashboard Access: All web browser traffic to the ABV dashboard
- LLM Gateway Traffic: All requests routed through the ABV LLM Gateway
Certificate Validation
Certificate Validation
Our SDKs and APIs validate TLS certificates to prevent man-in-the-middle attacks. This ensures you’re actually connecting to ABV’s servers and not an attacker impersonating them.If certificate validation fails, the connection is immediately terminated—protecting your data from being sent to the wrong destination.
Encryption at Rest
Data stored in ABV’s infrastructure is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys), the same encryption standard used by governments and financial institutions worldwide.Where Your Data is Encrypted
All ABV data stores use AES-256 encryption at rest:| Service | Purpose | Encryption Standard |
|---|---|---|
| Aurora (PostgreSQL) | Metadata, user data, configurations | AES-256 |
| ClickHouse | Trace data, analytics, time-series metrics | AES-256 |
| Elasticache (Redis) | Session data, caching | AES-256 |
| S3 / Blob Storage | File attachments, exports, backups | AES-256 |
Encryption at rest is enabled by default across all ABV infrastructure. You don’t need to configure anything—it’s always on.
Understanding AES-256
What is AES-256?
What is AES-256?
AES-256 is a symmetric encryption algorithm that uses a 256-bit key to encrypt and decrypt data. The “256-bit” refers to the key length, which provides:
- 2^256 possible keys (that’s 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936 combinations)
- Effectively unbreakable with current technology—even with all the computing power in the world, it would take longer than the age of the universe to crack
How Encryption at Rest Works
How Encryption at Rest Works
When data is written to storage:This all happens transparently—you never see the encrypted form of your data.
Data Write
Your trace data is prepared to be stored in one of ABV’s databases (PostgreSQL, ClickHouse, Redis, or S3).
Encryption
Before the data touches the disk, the storage service encrypts it using AES-256 with a unique encryption key.
Storage
The encrypted data is written to disk. If someone gains physical access to the storage media, they see only encrypted data.
Key Management
Key Management
Encryption keys are managed separately from the encrypted data using AWS Key Management Service (KMS). This means:
- Encryption keys are never stored alongside the data they protect
- Keys are rotated regularly according to security best practices
- Access to keys is strictly controlled and audited
- Even if storage media is compromised, the data remains encrypted without the keys
ABV uses AWS KMS with automatic key rotation enabled for all encryption at rest.
End-to-End Protection
Combining encryption in transit and at rest provides comprehensive protection throughout your data’s lifecycle:ABV Infrastructure
Data arrives at ABV servers still encrypted via TLS. The TLS connection terminates at ABV’s secure load balancers.
Processing
Data is processed in memory (RAM) in our secure infrastructure for indexing, analysis, and storage operations.
Storage
Data is encrypted with AES-256 before being written to disk, where it remains encrypted at rest.
Additional Security Features
Network Isolation
Network Isolation
ABV’s infrastructure uses Virtual Private Clouds (VPCs) with strict network segmentation:
- Databases are not directly accessible from the internet
- Application servers can only access databases they need
- Security groups restrict traffic to only necessary ports and protocols
Access Controls
Access Controls
Even with encrypted data, access is strictly controlled:
- Role-Based Access Control (RBAC) determines who can view data
- All access is authenticated and authorized
- Audit logs track who accessed what data and when
Data Masking
Data Masking
For additional privacy, ABV supports data masking to redact sensitive information before it’s even stored:
- Automatically detect and mask PII (emails, phone numbers, credit cards)
- Custom masking rules for your specific needs
- Masked data is never stored in plain text
Compliance
Our encryption practices meet or exceed requirements for:- GDPR: Protecting personal data with appropriate technical measures
- HIPAA: Encryption of Protected Health Information (PHI) in transit and at rest
- ISO 27001: Information security management system standards
- SOC 2: Trust service criteria for security
Next Steps
Authentication & Authorization
Learn about access controls and RBAC
Data Masking
Protect sensitive data before it’s stored
Penetration Testing
See how we test our security controls
Security Overview
Return to the security overview