Architecture

Learn about PolicyCo's data architecture.

Updated over a week ago

PolicyCo employs a modern architecture with partners AWS and ElasticSearch to deliver a secure and compliant environment capable of scaling to the needs of your enterprise.

All data at rest is encrypted and all data in transit is encrypted.

Flow

Users are authenticated with traditional password credentials, Google Auth using AWS Cognito. Data arrives as users write procedure and policy language as well as through the posting of evidence. Evidence may include any text or binary file format. When a client first connects, the front-end files are delivered via CloudFront to the browser. This data arrives exclusively via https TLS 1.2 / 1.3. This frontend code comprises the presentation layer and communicates with the backend code via API Gateway with Lambda functions tied to them. These Lambda functions interact with ElasticSearch for storing database elements and appropriate meta-data. Other specialized Lambda functions interact with S3 to Create, Update and Delete S3 objects for evidence.

CloudFront exposes only port 80 and port 443. Port 80 is exposed only to redirect to 443.

We do not maintain physical servers. The entire platform is architected around a serverless environment.

AWS Services Utilized

  • CloudFront - Hosting frontend code

  • API Gateway - Deliver API requests to Lambda functions

  • Lambda - Execute API requests and interact with the DB and S3

  • S3 - Store objects

  • ElasticSearch - Store meta-data and content

  • Cognito - Authentication services

Data Center us-east-1
7600 Doane Dr.
Manassas, VA 20109

Data Center us-west-2
91088 Ball Ln,
Grass Valley, OR 97029

Code Repository

Code versioning is maintained at github utilizing private/public keypairs. No credentials are stored in the codebase.

Access granted to: VP Engineering, Senior Application Developer

Cryptographic Keys

We use cryptographic to transmit and store all information.

SSL Certificates

Port 443 is used in combination with SSL, TLS1.2 to communicate sensitive data to and from our clients. This traffic is most commonly tied to our Cavo and Artiva environments but is used for any traffic initiated by a web browser.

KMS Keys for bucket encryption

We secure all data at rest with AWS KMS Keys.

ElasticSearch

We secure all ElasticSearch data at rest with encryption keys.

Session Management

PolicyCo utilizes a JSON Web Token in order to prove that a user has been properly authenticated. This token also identifies which resources the user can access. As the user navigates through the application, the token is referenced in every request in order to validate these resources.

Did this answer your question?