Encryption
Datafly Signal encrypts data at every layer — in transit between all components and at rest in storage. This page details the encryption mechanisms used throughout the platform.
Encryption in Transit
Browser to Ingestion Gateway
All event data sent from Datafly.js to the Ingestion Gateway is encrypted using TLS 1.2+. The customer’s subdomain (e.g., data.example.com) is served with a valid TLS certificate.
| Setting | Value |
|---|---|
| Minimum TLS version | 1.2 |
| Preferred TLS version | 1.3 |
| Cipher suites | TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256 |
| Certificate | Customer-provided or provisioned via cert-manager / ACM |
Service to Service
Internal communication between Datafly services within a Kubernetes cluster uses pod-to-pod networking. For deployments that require service mesh encryption (e.g., compliance with zero-trust network policies), Datafly is compatible with Istio and Linkerd mTLS.
Kafka, Redis, and PostgreSQL connections support TLS. In production deployments with managed services (MSK, ElastiCache, RDS), TLS is enabled by default:
| Connection | TLS |
|---|---|
| Services to Kafka | TLS 1.2+ (configured via KAFKA_TLS_ENABLED) |
| Services to Redis | TLS 1.2+ (configured via REDIS_URL with rediss:// scheme) |
| Services to PostgreSQL | TLS 1.2+ (configured via sslmode=require in DATABASE_URL) |
Service to Vendor APIs
All Delivery Worker connections to vendor APIs use TLS 1.2+. Vendor API endpoints universally require HTTPS. The Delivery Worker validates the vendor’s TLS certificate and rejects connections with invalid or expired certificates.
Encryption at Rest
Vendor API Credentials
Vendor API credentials (API secrets, access tokens, OAuth refresh tokens) stored in PostgreSQL are encrypted using AES-256-GCM before being written to the database. The encryption key is provided via the ENCRYPTION_KEY environment variable.
Plaintext credential → AES-256-GCM encrypt → Store ciphertext + nonce in PostgreSQLWhen a Delivery Worker needs credentials at delivery time, it decrypts them in memory. Credentials are never written to disk in plaintext.
The ENCRYPTION_KEY must be a 32-byte (256-bit) hex-encoded string. Losing this key makes all stored credentials unrecoverable. Store it in a secrets manager and ensure it is backed up.
Database (PostgreSQL)
In production, PostgreSQL should use Transparent Data Encryption (TDE):
| Provider | TDE Support |
|---|---|
| AWS RDS | Enabled by default (AES-256, AWS KMS) |
| GCP Cloud SQL | Enabled by default (AES-256, Google-managed keys or CMEK) |
| Self-managed | Configure pgcrypto or use filesystem-level encryption (LUKS, dm-crypt) |
TDE encrypts the entire database at the storage layer, protecting against physical disk theft or snapshot exfiltration.
Kafka
In production Kafka deployments:
| Provider | Encryption at Rest |
|---|---|
| AWS MSK | Enabled by default (AES-256, AWS KMS) |
| Confluent Cloud | Enabled by default |
| Self-managed | Configure log directory encryption at the OS level |
Cross-Domain Identity Tokens
The Identity Hub uses AES-256-GCM to encrypt cross-domain identity tokens. When a user navigates between domains that share a Datafly deployment, an encrypted token is passed via URL parameter to link the anonymous IDs:
Plaintext: { "dfid": "abc123", "exp": 1740500400 }
→ AES-256-GCM encrypt with ENCRYPTION_KEY
→ Base64url encode
→ Append to URL: ?_dft=<encrypted_token>The receiving domain’s Ingestion Gateway decrypts the token to recover the anonymous ID and link the sessions.
| Property | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key | ENCRYPTION_KEY environment variable (32 bytes) |
| Token TTL | Configurable via TOKEN_TTL (default: 60 seconds) |
| Encoding | Base64url (URL-safe) |
Cross-domain tokens are short-lived (60 seconds by default) and single-use. They are consumed and invalidated on first use, preventing replay attacks.
PII Hashing
When PII hashing is enabled in the Org Data Layer, specified fields are hashed with SHA-256 before being delivered to vendor APIs:
Email: "jane@example.com"
→ Lowercase + trim
→ SHA-256 hash
→ "a1b2c3d4e5f6..." (delivered to vendor)This allows vendors like Meta and Google to perform identity matching using hashed identifiers without receiving raw PII.
| Property | Value |
|---|---|
| Algorithm | SHA-256 |
| Pre-processing | Lowercase, trim whitespace |
| Fields | Configurable per Org Data Layer (hash_fields setting) |
| Scope | Applied to all integrations at the Org level |
PII hashing is one-way. The original value cannot be recovered from the hash. Ensure you have the raw data stored in your own systems if you need it for other purposes.
Key Management Summary
| Key | Purpose | Length | Storage |
|---|---|---|---|
JWT_SECRET | Signing JWT access and refresh tokens | 256 bits | Environment variable / Kubernetes Secret |
ENCRYPTION_KEY | AES-256-GCM encryption for credentials and identity tokens | 256 bits (32 bytes, hex-encoded) | Environment variable / Kubernetes Secret |
| TLS certificates | HTTPS for ingestion and API endpoints | RSA 2048+ or ECDSA P-256 | Kubernetes Secret / cert-manager |