Encryption
All customer data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Keys and secrets are managed by AWS and AWS Secrets Manager — never in source or environment files.
Encryption at rest
Every data store Beakr operates is encrypted with AES-256 using AWS-managed keys.
| Component | Encryption | Key management |
|---|---|---|
| Database (RDS PostgreSQL) | AES-256 | AWS-managed encryption |
| File storage (S3) | AES-256 (SSE-S3) | AWS-managed |
| Database backups & snapshots | AES-256 | Same key as source database |
| Cache (ElastiCache Redis) | AES-256 | AWS-managed |
| Block storage (EBS) | AES-256 | AWS-managed |
| Application logs (CloudWatch) | AES-256 | AWS-managed |
Encryption in transit
All external traffic uses TLS 1.3 with TLS 1.2 as a floor. Internal connections between services are also encrypted.
| Connection | Protocol | Minimum version |
|---|---|---|
| Client to application | HTTPS | TLS 1.2 |
| WebSocket connections | WSS | TLS 1.2 |
| Application to database | SSL/TLS | TLS 1.2 sslmode=require |
| Application to cache | TLS | Encrypted in-transit |
| Application to third-party APIs | HTTPS | TLS 1.2 |
HTTP traffic is automatically redirected to HTTPS. SSL certificates are managed through AWS Certificate Manager (ACM) and issued by trusted Certificate Authorities. HSTS headers are enforced with a one-year max-age.
Key management
Encryption keys are managed by AWS through their default encryption mechanisms:
- All encryption uses AWS-managed keys (SSE-S3 for object storage, AWS-managed keys for RDS and ElastiCache).
- AWS manages key generation, storage, and automatic rotation.
- Service credentials (database passwords, Redis auth tokens, API keys) are stored in AWS Secrets Manager.
- Access to encrypted resources is controlled via IAM policies with least-privilege grants.
Credential and secret management
| Secret type | How it's handled |
|---|---|
| User passwords | Never stored in Beakr. Authentication is delegated to Clerk (SOC 2 Type II certified), which handles password hashing (bcrypt) and MFA. |
| OAuth tokens | Never stored in Beakr. Managed by a SOC 2 Type II certified integration partner. Beakr stores only opaque connection reference IDs. |
| API keys | Stored as SHA-256 hashes. The plaintext key (bk_live_...) is returned once at creation and never stored. |
| Service credentials | Stored in AWS Secrets Manager. Never in source code or environment variables. |
For customers who require it, Beakr can configure AWS KMS customer-managed keys for RDS and S3 under a dedicated or single-tenant deployment. Contact support@thebeakr.com to discuss BYOK options.