Platform Encryption

General

The default VPC and Subnet create an isolated environment to which customers can control access rights. When processing data, the Cado worker instances are launched within the same VPC as the main Cado instance. Worker instances are started using the same AMI as the main Cado instance as well. Please see our Knowledge Base for details on which ports and encryption protocols are used.

AWS

During deployment, by default, an S3 bucket, a VPC and a Subnet are created for use by the Cado solution.

During deployment, a default S3 bucket for collections is created. This can be customised, including to use an existing bucket, but by default the created S3 Bucket is encrypted with server-side encryption using AES256 (SSE-AES256 - See Protecting data with server-side encryption. Attached EBS volumes are encrypted using KMS. Access to EFS/NFS is over TLS . Secrets are stored using AWS Secrets Manager.

Some settings can be customized, and you may wish to enable key rotation as well .