We use a multi-AZ AWS deployment in us-west-2 (Oregon), with the aim of multi-region support coming soon. All traffic goes through managed load balancers with health checks and automatic failover. Instances are autoscaled with rate limits in front.
All routes are protected by WAF and go through a variety of API Gateways depending on usage. Our ALB then forwards requests to the appropriate ECS Fargate service running in private subnets. Authorization is done through JWTs asymmetrically signed by AWS KMS.
RBAC is enforced at HTTP and database layers in order to ensure your data is only visible to you.
We use PostgreSQL as our primary data store in a high-availability configuration with automated backups. All sensitive information is encrypted end-to-end in transit and at rest before reaching our application layer. We never handle sensitive information in plaintext.All traffic is encrypted in transit via TLS 1.2+.
