Infrastructure & network security

Beakr runs on AWS in us-east-1 with a multi-AZ architecture for high availability. All infrastructure is defined in Terraform, peer-reviewed, and deployed through CI/CD.

Network topology

VPC with subnet isolation. Public subnets (load balancer only), private subnets (application containers), isolated subnets (database and cache — no internet access).
NAT Gateway. Private subnets route outbound traffic through NAT for egress-only internet access.
Security Groups. Enforce least-privilege network rules. The database accepts connections only from application containers. Redis accepts connections only from application containers. No direct internet access to the database or cache.

Compute

Application runs as containerized services on Amazon ECS with auto-scaling.
Circuit breaker with automatic rollback on failed deployments.
Health checks on all services.

Database

PostgreSQL 16 with pgvector on Amazon RDS.
Multi-AZ deployment in production for automatic failover (RTO < 5 minutes).
Automated daily snapshots retained for 30 days (production).
Point-in-time recovery enabled (RTO 30–60 minutes).
Deletion protection enabled in production.

Cache

Redis on Amazon ElastiCache with Multi-AZ replication (2 nodes in production).
TLS encryption and authentication token required.
Private networking only — no public access.

Web Application Firewall (WAF)

AWS WAF protects the application at the edge:

Rule	What it blocks
OWASP Top 10 (AWS Managed)	XSS, local/remote file inclusion, common exploits.
SQL Injection Prevention	Inspects query strings, request bodies, URI paths, and headers.
Known Bad Inputs	Log4j exploits, known CVE patterns, malicious user agents.
IP Reputation List	Blocks known malicious IPs, botnets, and TOR exit nodes (AWS Managed).
Rate Limiting	Per-IP request rate limiting. Exceeding the limit results in automatic blocking.

Security headers

All responses include:

Strict-Transport-Security (HSTS) with one-year max-age, includeSubDomains
Content-Security-Policy
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy (disables camera, geolocation, microphone, etc.)
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin

Monitoring, logging & incident response

Audit logging

Application audit logs (CloudWatch): create, update, delete, share, and access-denied events. Retained for 90 days.
AWS CloudTrail: All AWS API calls logged across all regions. 365 days in CloudWatch, archived to S3 with Glacier lifecycle for 2 years.
VPC Flow Logs: Network traffic metadata on all subnets.
WAF Logs: All blocked and rate-limited requests.

Threat detection

AWS GuardDuty (production): continuous threat detection monitoring for malicious activity and unauthorized behavior.
CloudWatch Metric Filters: real-time alerting on security-relevant events.
WAF Alerts: automated alerts for blocked request spikes, rate limiting triggers, and SQL injection attempts. Delivered to Slack.

Infrastructure as Code

All infrastructure is defined in Terraform, version-controlled in Git, and reviewed via pull requests before deployment. No manual infrastructure changes.

Single-tenant deployment

For enterprise customers with regulatory or contractual requirements for dedicated infrastructure:

Dedicated database

Your data lives in a completely separate PostgreSQL instance, connected to our managed application platform. Same application, isolated storage.

Full infrastructure isolation

A complete, dedicated deployment including VPC, database, cache, compute, and load balancer. No shared components with other customers.

Both options use the same codebase and receive the same updates as our multi-tenant platform. Contact support@thebeakr.com for pricing and configuration.