Database - ARGOS Identity

1. Document Overview

1.1 Purpose

This document describes the network communication architecture and data security policies for the data storage layer (Database) used by ARGOS Identity. It is intended for use by security and network review personnel at customer organizations.

1.2 Target Audience

Information security and security review personnel at customer organizations
Personnel conducting data processing due diligence (data controller/processor relationships)
Compliance / audit departments

1.3 Scope

Data storage engine and call structure
Encryption in transit and at rest
Authentication, authorization, access control, and isolation
Auditing, backup, and compliance

2. Network Communication Flow

2.1 Call Structure

2.2 Communication Characteristics

Item	Value
Protocol	HTTPS (TLS 1.2+)
Authentication	AWS Signature Version 4 (SigV4)
SDK	AWS SDK for JavaScript (v2/v3)
Response format	JSON
Caller location	Verification processing layer (Lambda) / EC2 / management tools
Direct external access	Not permitted (internal AWS calls only)

2.3 External Exposure

DynamoDB is not directly exposed to the public internet; only internal services holding valid AWS credentials (IAM Role) can invoke it.
All calls are completed within the AWS infrastructure.

3. Communication Protocols and Standards

3.1 Transport Layer

TLS 1.2 or higher enforced (default AWS SDK behavior)
DynamoDB endpoints are protected by AWS-issued certificates, which the SDK validates automatically

3.2 Authentication Signing

All API calls are signed with AWS Signature Version 4 (SigV4)
Signature elements: credentials (IAM Role) + request time + request method/path/header/body hash
Any tampering causes immediate rejection by AWS (requests with a time difference of 5 minutes or more are automatically rejected)

3.3 Call Patterns

PutItem / GetItem / Query / UpdateItem / DeleteItem / BatchWrite / TransactWrite
Some hot paths use DynamoDB Accelerator (DAX) in-memory cache

4. Data Encryption

The data storage layer operates a dual encryption structure.

5.1 Primary — Server-Side Encryption (AWS-managed)

Item	Value
Scope	Automatically applied to all tables, indexes, streams, and backups
Algorithm	AES-256
Key management	AWS KMS (FIPS 140-2 Level 3 HSM-based)

→ DynamoDB always encrypts all stored data using AWS KMS; there is no point at which data is written to disk in plaintext.

5.2 Secondary — Application-Layer Additional Encryption (sensitive fields)

Sensitive personal data fields such as ID numbers, passport numbers, and contact information are additionally encrypted at the application layer before storage.

Item	Value
Algorithm	AES-256-GCM (authenticated encryption)
Key management	AWS KMS Customer-managed Key
Integrity	GCM mode Auth Tag verification
When applied	Encrypted directly in the verification processing layer before PUT

→ As a result, sensitive fields are stored in a doubly encrypted state (application-layer AES-256-GCM + server-side AES-256).

5.3 Object Storage (Reference)

Images (ID documents and selfies) are stored in AWS S3 with KMS-based server-side encryption applied.

5.4 Encryption in Transit

Segment	Method
Verification processing → DynamoDB	TLS 1.2+ (enforced by AWS SDK)
DynamoDB → backup/PITR	AWS internal encryption (KMS)
Cross-Region Replication	AWS internal encryption (KMS)

6. Authentication and Authorization

6.1 Caller Authentication

Callers must hold valid AWS IAM credentials
The verification processing layer (Lambda / EC2) is automatically granted credentials via IAM Role
Credentials are automatically rotated as short-lived tokens (STS Token)

6.2 Authorization

Per-table / per-operation permission control via IAM Policy
Least Privilege principle applied

7. Integrity

Layer	Integrity Assurance Method
AWS DynamoDB	All writes are synchronously replicated across multiple AZs with checksum verification
Application payload	AES-256-GCM Auth Tag verification
TLS channel	TLS 1.2+ built-in integrity (AEAD / HMAC)

8. Access Control and Isolation

8.1 Network Layer

No direct exposure to the public internet
Dedicated to AWS internal communication (public endpoint, but IAM acts as gatekeeper)
VPC Gateway Endpoint enforces communication over the AWS backbone

8.2 IAM Isolation

Separate IAM Role per service
Operators, developers, and automation tools have separate IAM users and groups
Multi-Factor Authentication (MFA) enforced (console access)

8.3 Environment Isolation

Live / Test tables operated separately
Data movement between environments is performed only through an explicit migration procedure

9. Logging and Auditing

9.1 Application Auditing

Domain events recorded in a separate audit table (KYC submission status changes, administrator actions, etc.)
All audit records follow an append-only policy (immutable)

9.2 Retention

CloudTrail logs: automatically retained for 90 days in the AWS console; long-term retention requires separate S3 storage
DynamoDB backup (PITR): point-in-time recovery available for up to 35 days
On-demand backup: no retention limit

10. Compliance

10.1 ARGOS Identity Held Certifications

ISO/IEC 27001 — International standard certification for information security management systems

10.2 AWS DynamoDB Certifications (Inherited)

SOC 1 / SOC 2 / SOC 3
ISO 9001 / 27001 / 27017 / 27018
PCI-DSS Level 1
HIPAA Eligible
FedRAMP Moderate
IRAP, MTCS, FIPS 140-2 Level 3 (KMS)

10.3 Data Subject Rights Response

Procedures in place to identify and process data subject rights requests (access, rectification, erasure) under applicable privacy laws / GDPR
Subject to a separate processing agreement between the data controller and processor

Appendix A. Glossary

Term	Definition
DynamoDB	AWS serverless NoSQL database service
SigV4	AWS Signature Version 4 — standard for signing API calls
KMS	AWS Key Management Service (FIPS 140-2 Level 3 HSM)
PITR	Point-in-Time Recovery
DAX	DynamoDB Accelerator (in-memory cache)
AEAD	Authenticated Encryption with Associated Data
IAM Role	AWS Identity and Access Management role
MFA	Multi-Factor Authentication
Optimistic Lock	Optimistic concurrency control based on conditional writes

Appendix B. Contact

For technical inquiries regarding this document, please contact ARGOS Identity through the sales or technical support channel.

Overview

Service Categories

Documentation Index

​1. Document Overview

​1.1 Purpose

​1.2 Target Audience

​1.3 Scope

​2. Network Communication Flow

​2.1 Call Structure

​2.2 Communication Characteristics

​2.3 External Exposure

​3. Communication Protocols and Standards

​3.1 Transport Layer

​3.2 Authentication Signing

​3.3 Call Patterns

​4. Data Encryption

​5.1 Primary — Server-Side Encryption (AWS-managed)

​5.2 Secondary — Application-Layer Additional Encryption (sensitive fields)

​5.3 Object Storage (Reference)

​5.4 Encryption in Transit

​6. Authentication and Authorization

​6.1 Caller Authentication

​6.2 Authorization

​7. Integrity

​8. Access Control and Isolation

​8.1 Network Layer

​8.2 IAM Isolation

​8.3 Environment Isolation

​9. Logging and Auditing

​9.1 Application Auditing

​9.2 Retention

​10. Compliance

​10.1 ARGOS Identity Held Certifications

​10.2 AWS DynamoDB Certifications (Inherited)

​10.3 Data Subject Rights Response

​Appendix A. Glossary

​Appendix B. Contact