Encryption
In transit
The Zentake API is served exclusively over HTTPS,
https://api.app.zentake.com, so requests and responses, including any
PHI they carry, are encrypted in transit by TLS. There is no plain-HTTP
fallback: object storage and internal service traffic reject non-TLS
connections, and the database connection is itself TLS-encrypted.
At rest
Patient data, Responses, and generated PDF Documents are encrypted at rest:
- Database. The production PostgreSQL database has storage encryption enabled, backed by an AWS KMS customer-managed key. Automated database backups inherit the same encryption.
- Object storage. Files (uploads, generated PDFs) are stored in Amazon S3 with server-side encryption (AES-256, or SSE-KMS for buckets that hold PHI-adjacent content).
- Field-level. Selected high-sensitivity secrets (such as payment provider signing secrets) are additionally encrypted at the application layer before they are written to the database.
Key management
Encryption keys are managed through AWS KMS in the platform's primary
region (us-west-2), using customer-managed keys rather than shared default
keys. The same key protects the database volumes and its automated backups.