Security
Security is foundational to Datafly Signal’s architecture. As a server-side tag management platform that handles customer event data, every design decision prioritises data protection, isolation, and compliance.
Security Principles
Single-Tenant Isolation
Every customer gets their own isolated deployment. There are no shared databases, Kafka topics, or Redis keyspaces between customers. In Kubernetes, each customer runs in a dedicated namespace with its own service instances.
First-Party Data Collection
Datafly.js loads from the customer’s own subdomain. Events are sent to the customer’s own endpoint. All cookies are first-party. No third-party JavaScript runs on the customer’s site.
Encryption at Rest and in Transit
All data is encrypted in transit using TLS 1.2+. Sensitive data stored in PostgreSQL (vendor API credentials, encryption keys) is encrypted at rest using AES-256. Managed database services provide Transparent Data Encryption (TDE).
Role-Based Access Control
The Management API enforces RBAC with four roles (owner, admin, editor, viewer). Every API request is authenticated with a JWT and authorised against the user’s role. See Roles & Permissions.
Audit Logging
Every administrative action is recorded in an immutable audit log with the acting user, timestamp, affected resource, and details of the change. Logs are retained for 90 days. See Audit Logs.
Security Layers
| Layer | Protection |
|---|---|
| Browser to Gateway | TLS 1.2+, first-party cookies, CORS enforcement |
| Service to Service | Internal network (Kubernetes pod-to-pod), TLS where exposed |
| Service to Vendor | TLS 1.2+, vendor-specific authentication (API keys, OAuth) |
| Data at Rest | AES-256-GCM for credentials, PostgreSQL TDE |
| Cross-Domain Identity | AES-256-GCM encrypted tokens |
| PII Handling | SHA-256 hashing, configurable field redaction |
| Access Control | JWT authentication, RBAC authorisation |
| Consent | Two-stage enforcement (ingestion + delivery) |
Sections
| Section | Description |
|---|---|
| Encryption | TLS, AES-256, hashing, and data-at-rest protection |
| Authentication | JWT tokens, pipeline keys, HMAC, and SSO |
| Roles & Permissions | RBAC model with four roles and permissions matrix |
| Consent Enforcement | Two-stage consent checking and CMP integration |
Datafly Signal’s single-tenant architecture means a security incident in one customer’s deployment cannot affect another customer. Each deployment is a completely independent system.