DAT-02: Encryption
Objective
Protect data confidentiality through cryptographic controls.
Description
All data is encrypted in transit using TLS 1.2+. Sensitive data is encrypted at rest using AES-256. Encryption keys are managed through AWS KMS.
Implementation Details
In Transit: All external APIs use HTTPS with TLS 1.2+. Internal services use TLS for inter-service communication. No plaintext protocols.
At Rest: S3 buckets use SSE-KMS encryption. RDS databases use encryption at rest. EBS volumes encrypted.
Key Management: AWS KMS for encryption keys. Keys rotated annually. Access to keys controlled via IAM.
Endpoints: macOS FileVault full disk encryption required on all employee devices.
Examples
- All S3 buckets have default encryption enabled with AWS KMS
- RDS instances configured with encryption at rest using customer managed KMS keys
- Application enforces TLS 1.2 minimum, TLS 1.0/1.1 disabled
- All employee MacBooks have FileVault enabled and verified quarterly
Audit Evidence
- S3 bucket encryption settings
- RDS encryption configuration
- TLS configuration for load balancers/applications
- MDM reports showing FileVault status on all devices
Framework Mapping
SOC 2
- CC6.1 ^[Encryption at rest and in transit protects information assets from unauthorized access during storage and transmission]
- CC6.7 ^[TLS encryption restricts and protects transmission, movement, and removal of information]
GDPR
- Article 32 ^[Encryption of personal data is explicitly listed as an appropriate technical measure to ensure security of processing]
- Article 34 ^[Encryption can reduce breach notification requirements - encrypted data may not require notification to data subjects]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Standards:
Processes:
Policies: