Data Protection

Encryption, tenant isolation, and evidence integrity across the ZexRail platform.

Encryption at Rest

All persistent data is encrypted using AES-256-GCM.

Data Store	Encryption	Key Management
PostgreSQL (primary)	AES-256-GCM (TDE)	AWS KMS with per-tenant DEKs
Redis (cache)	AES-256-GCM	AWS ElastiCache encryption
S3 (evidence store)	AES-256 (SSE-KMS)	AWS KMS with bucket keys
Backups	AES-256-GCM	Separate backup KMS key

Encryption in Transit

All connections use TLS 1.3 with strong cipher suites. HTTP Strict Transport Security (HSTS) is enforced with a 1-year max-age and preload directive. Certificate transparency logs are monitored for unauthorized certificate issuance.

Tenant Isolation

Strict data separation between organizations at every layer.

Application Layer

Every API request is scoped to the authenticated organization. Cross-tenant data access is architecturally impossible through the API layer.

Database Layer (RLS)

PostgreSQL Row-Level Security policies enforce tenant isolation at the database level, providing defense-in-depth even if application logic is bypassed.

Encryption Layer

Each tenant has dedicated data encryption keys (DEKs). Even with raw database access, data from other tenants cannot be decrypted.

Row-Level Security (RLS)

PostgreSQL policies enforcing tenant boundaries.

-- Every table has an organization_id column
-- RLS policy ensures queries only return rows for the current tenant

CREATE POLICY tenant_isolation ON agents
  USING (organization_id = current_setting('app.current_org_id'));

CREATE POLICY tenant_isolation ON negotiations
  USING (organization_id = current_setting('app.current_org_id'));

-- The app.current_org_id is set at connection time from the JWT
-- and cannot be overridden by the application

WORM Evidence Storage

Write Once Read Many storage for audit evidence and Verity proofs.

All settlement evidence, negotiation event logs, and Verity proofs are stored in S3 with Object Lock in compliance mode. Once written, evidence cannot be modified or deleted for the configured retention period (default: 7 years).

// S3 Object Lock configuration
{
  "ObjectLockConfiguration": {
    "ObjectLockEnabled": "Enabled",
    "Rule": {
      "DefaultRetention": {
        "Mode": "COMPLIANCE",
        "Years": 7
      }
    }
  }
}

Compliance mode cannot be overridden by any user, including the root AWS account. This ensures audit evidence integrity for regulatory requirements.

Data Retention & Deletion

Data Type	Retention	Deletion
Agent records	Active + 90 days	Soft delete, then purge
Negotiations	7 years (regulatory)	WORM-protected
Settlements	7 years (regulatory)	WORM-protected
Verity proofs	7 years (regulatory)	WORM-protected
API logs	90 days	Auto-purge