Skip to main content

Encryption

In transit

The Zentake API is served exclusively over HTTPS, https://api.app.zentake.com, so requests and responses, including any PHI they carry, are encrypted in transit by TLS. There is no plain-HTTP fallback: object storage and internal service traffic reject non-TLS connections, and the database connection is itself TLS-encrypted.

At rest

Patient data, Responses, and generated PDF Documents are encrypted at rest:

  • Database. The production PostgreSQL database has storage encryption enabled, backed by an AWS KMS customer-managed key. Automated database backups inherit the same encryption.
  • Object storage. Files (uploads, generated PDFs) are stored in Amazon S3 with server-side encryption (AES-256, or SSE-KMS for buckets that hold PHI-adjacent content).
  • Field-level. Selected high-sensitivity secrets (such as payment provider signing secrets) are additionally encrypted at the application layer before they are written to the database.

Key management

Encryption keys are managed through AWS KMS in the platform's primary region (us-west-2), using customer-managed keys rather than shared default keys. The same key protects the database volumes and its automated backups.