Yapster's back-end is currently hosted in a single AWS availability zone in Dublin.
The application runs on EC2 instances with EBS block storage
EBS encryption on all EBS volumes;
all EBS data is encrypted at rest.
S3 storage is used for various customer data purposes
S3 Server Side Encryption is used for all customer data;
All customer data on S3 is encrypted at rest;
low-risk files (e.g. uploaded user pictures) are stored in unauthenticated S3 buckets, with unguessable (content addressed) URLs;
high-risk files (e.g. PII user-data imports and exports) are stored in protected S3 buckets, with access only proxied via the Yapster API.
ELB load balancers
The ELB load-balancers are the only public route to the Yapster API;
The ELB load balancers terminate TLS;
There is a single open post 443 HTTPS wih a minimum of TLS v1.2;
All data moving from the client to the back-end and vice-versa is encrypted in transit.
AWS VPC & firewall
All Yapster EC2 resources deployed within an AWS VPC;
Inbound traffic only permitted from within the VPC, from ELB and admin port 22;
port 22 is SSH private-key only admin access;
Inside VPC firewall perimeter, intra-VPC traffic is unencrypted.