Security overview
Technical security facts for integration design: infrastructure, encryption, authentication, and rate-limit controls.
This page covers technical security for your integration: where data lives, how it's encrypted, and how you authenticate requests.
For contractual security details (data retention, deletion, compliance, subprocessors, responsible disclosure), see your legal agreement or email [email protected].
Infrastructure
Cloud provider: Amazon Web Services (AWS)
Primary region: us-west-2 (Oregon)
Services in use: ECS (container compute), RDS PostgreSQL, Lambda, S3,
Secrets Manager, KMS, API Gateway, CloudFront
Encryption
At rest:
- PostgreSQL databases encrypted with AWS KMS (AES-256)
- S3 buckets use SSE-S3 (AES-256); policies reject unencrypted uploads
- Secrets stored in AWS Secrets Manager with customer-managed KMS keys
In transit:
- All traffic to
*.isaapi.comrequires TLS 1.2 or higher - TLS 1.0 and 1.1 are disabled at the CloudFront / API Gateway layer
- HSTS enforced on all customer-facing subdomains
Authentication model
Bearer tokens
Scoped to a single account. Tokens are opaque; the server validates each against the database (no embedded claims). Self-service rotation from the Dashboard is coming; for now, email [email protected] to rotate.
HMAC-SHA256 signing
Used by embedded clients that can't safely hold a long-lived bearer token. Each request is signed with a per-session secret created at session start. The signing secret is never sent after initial issuance.
Internal access
No shared admin keys are issued to customers or used internally. All internal admin access uses IAM role-assumed short-lived credentials.
Vulnerability reporting
To report a security issue, email [email protected] or see
/.well-known/security.txt.
Updated about 10 hours ago