Security Overview¶
Data security is foundational to Carbon Connect. Companies trust us with sensitive business and carbon data, and we take that responsibility seriously. This page explains our security approach in plain language.
Security Philosophy¶
We follow a defense-in-depth strategy: multiple independent layers of protection so that no single point of failure can compromise data. Even if one layer were breached, other layers would prevent unauthorized access.
Encryption: Data Is Protected Everywhere¶
In Transit (Moving Between Systems)¶
Every piece of data moving through the platform is encrypted using TLS 1.2 or higher -- the same encryption standard used by banks and governments. This applies to:
- Data traveling between your browser and our servers
- Data moving between our servers and our database
- Data moving between our servers and our cache
- Data moving between our servers and our file storage
What this means: Even if someone intercepted the data in transit, they would see only encrypted gibberish.
At Rest (Stored on Disk)¶
All stored data is encrypted using AES-256 -- a military-grade encryption standard:
| Storage | Encryption Method |
|---|---|
| Database (PostgreSQL) | AWS KMS-managed encryption keys |
| File storage (S3) | Server-side encryption (AES-256) |
| Cache (Valkey) | At-rest encryption enabled |
| Search indexes | Encrypted filesystem storage |
| Logs | Encrypted S3 storage |
What this means: Even if someone gained physical access to our storage hardware, the data would be unreadable without the encryption keys -- which are stored separately in a dedicated key management service.
Multi-Tenant Isolation: Your Data Is Yours Alone¶
Carbon Connect serves many customers from a single platform (this is called "multi-tenancy"). To ensure no customer can ever see another customer's data, we implement row-level security at the database level.
What Row-Level Security Means
Every record in the database includes a tenant identifier. The database itself -- not just the application -- enforces that queries only return data belonging to the requesting tenant. Even if there were a bug in the application code, the database would still prevent cross-tenant data access.
This is the same isolation approach used by enterprise SaaS platforms serving Fortune 500 companies.
Secrets Management: No Credentials in Code¶
All sensitive credentials (database passwords, API keys, encryption keys) are stored in AWS Secrets Manager, a dedicated vault service. This means:
- Credentials are never stored in source code
- Credentials are never stored in configuration files
- Every access to a secret is logged and auditable
- Credentials can be rotated without changing application code
- Different environments (development, staging, production) use different credentials
Automated Vulnerability Scanning¶
We do not wait for security problems to find us. The platform undergoes eight automated security checks on every code change:
| Check | What It Does | When It Runs |
|---|---|---|
| CodeQL Analysis | Scans code for security vulnerabilities and common attack patterns | Every code change |
| Bandit (Static Analysis) | Python-specific security checks for common vulnerabilities | Every code change |
| Dependency Scanning | Checks all third-party libraries for known security issues | Every code change + weekly |
| Secret Detection (pre-commit) | Prevents developers from accidentally including credentials in code | Every commit |
| Secret Detection (TruffleHog) | Deep scan for any leaked credentials | Every code change |
| Infrastructure Security (tfsec) | Validates cloud configuration follows security best practices | Every code change |
| Container Scanning (Trivy) | Checks deployment packages for vulnerabilities | Every code change |
| Dependency Updates (Dependabot) | Automatically proposes updates for libraries with security patches | Weekly |
No Code Ships Without Passing All Checks
These eight checks form a security gate. Code that fails any check cannot be merged or deployed. This is enforced automatically -- no human can override it.
Network Security¶
Private Cloud Architecture¶
The platform runs inside a Virtual Private Cloud (VPC) -- a logically isolated section of the cloud with strictly controlled network access:
| Component | Network Access |
|---|---|
| Load balancer | Only component accessible from the internet (ports 80/443) |
| Application servers | Only accessible from the load balancer |
| Database | Only accessible from application servers |
| Cache | Only accessible from application servers |
What this means: The database and cache are not directly accessible from the internet at all. They exist in a private network that can only be reached through the application layer, which enforces authentication and authorization.
Security Groups¶
Each component has a firewall (called a "security group") that specifies exactly which other components can communicate with it. These rules follow the principle of least privilege -- each component can only access what it absolutely needs.
Authentication and Access Control¶
User Authentication¶
- JWT tokens with configurable expiration for secure session management
- Refresh tokens for seamless session renewal without re-entering credentials
- Password hashing using bcrypt -- passwords are never stored in readable form
- Token blacklisting for immediate logout capability
Application Security¶
| Protection | What It Prevents |
|---|---|
| Input validation (Pydantic) | Malformed data from reaching the database |
| SQL injection prevention (SQLAlchemy ORM) | Attackers manipulating database queries |
| XSS prevention (React/Next.js) | Malicious scripts in the browser |
| Rate limiting | Automated attacks and abuse (60 requests per minute default) |
| CORS policies | Unauthorized websites from accessing the API |
Operational Security¶
Monitoring and Alerting¶
- Real-time monitoring of all system components via AWS CloudWatch
- Automated alerting for unusual activity or performance degradation
- Audit logging of all data access and administrative actions
- Database query logging for DDL changes and slow queries (over 1 second)
Backup and Recovery¶
| Capability | Implementation |
|---|---|
| Database backups | Automated daily snapshots with 7-day retention (production) |
| Point-in-time recovery | Restore database to any second within retention window |
| File versioning | All stored documents retain version history |
| Pre-deployment snapshots | Automatic backup before every production update |
Compliance Posture¶
| Standard | Status |
|---|---|
| GDPR | Core controls implemented (encryption, access control, audit logging). DSR workflows in development. See GDPR & Data Protection. |
| OWASP Top 10 | All major web application vulnerabilities addressed through framework defaults and automated scanning |
| SOC 2 Type II | Not yet pursued; infrastructure controls are aligned with SOC 2 requirements |
Summary¶
| Security Layer | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all communications |
| Encryption at rest | AES-256 for all stored data |
| Data isolation | Database-enforced row-level security |
| Credential management | AWS Secrets Manager (never in code) |
| Vulnerability scanning | 8 automated checks on every change |
| Network security | Private VPC with layered access controls |
| Authentication | JWT with bcrypt password hashing |
| Monitoring | Real-time alerting and audit logging |