> ## Documentation Index
> Fetch the complete documentation index at: https://developers.argosidentity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Database

> Network communication architecture and data security policies for the ARGOS Identity data storage layer (AWS DynamoDB).

## 1. Document Overview

### 1.1 Purpose

This document describes the network communication architecture and data security policies for the **data storage layer (Database)** used by ARGOS Identity. It is intended for use by security and network review personnel at customer organizations.

### 1.2 Target Audience

* Information security and security review personnel at customer organizations
* Personnel conducting data processing due diligence (data controller/processor relationships)
* Compliance / audit departments

### 1.3 Scope

* Data storage engine and call structure
* Encryption in transit and at rest
* Authentication, authorization, access control, and isolation
* Auditing, backup, and compliance

***

## 2. Network Communication Flow

### 2.1 Call Structure

```mermaid theme={null}
flowchart TD
    A[Verification processing layer<br/>Lambda / EC2] -->|AWS SDK call<br/>HTTPS + AWS SigV4 signature| B["AWS DynamoDB endpoint<br/>dynamodb.[region].amazonaws.com"]
    B --> C[(DynamoDB storage<br/>AWS-managed distributed storage)]
```

### 2.2 Communication Characteristics

| Item                   | Value                                                           |
| ---------------------- | --------------------------------------------------------------- |
| Protocol               | HTTPS (TLS 1.2+)                                                |
| Authentication         | AWS Signature Version 4 (SigV4)                                 |
| SDK                    | AWS SDK for JavaScript (v2/v3)                                  |
| Response format        | JSON                                                            |
| Caller location        | Verification processing layer (Lambda) / EC2 / management tools |
| Direct external access | **Not permitted** (internal AWS calls only)                     |

### 2.3 External Exposure

* DynamoDB is not directly exposed to the public internet; only internal services holding valid AWS credentials (IAM Role) can invoke it.
* All calls are completed within the AWS infrastructure.

***

## 3. Communication Protocols and Standards

### 3.1 Transport Layer

* **TLS 1.2 or higher** enforced (default AWS SDK behavior)
* DynamoDB endpoints are protected by AWS-issued certificates, which the SDK validates automatically

### 3.2 Authentication Signing

* All API calls are signed with **AWS Signature Version 4 (SigV4)**
* Signature elements: credentials (IAM Role) + request time + request method/path/header/body hash
* Any tampering causes immediate rejection by AWS (requests with a time difference of 5 minutes or more are automatically rejected)

### 3.3 Call Patterns

* **PutItem / GetItem / Query / UpdateItem / DeleteItem / BatchWrite / TransactWrite**
* Some hot paths use **DynamoDB Accelerator (DAX)** in-memory cache

***

## 4. Data Encryption

The data storage layer operates a **dual encryption structure**.

### 5.1 Primary — Server-Side Encryption (AWS-managed)

| Item           | Value                                                                  |
| -------------- | ---------------------------------------------------------------------- |
| Scope          | **Automatically applied to all tables, indexes, streams, and backups** |
| Algorithm      | AES-256                                                                |
| Key management | AWS KMS (FIPS 140-2 Level 3 HSM-based)                                 |

→ DynamoDB always encrypts all stored data using AWS KMS; there is no point at which data is written to disk in plaintext.

### 5.2 Secondary — Application-Layer Additional Encryption (sensitive fields)

**Sensitive personal data fields** such as ID numbers, passport numbers, and contact information are additionally encrypted at the application layer before storage.

| Item           | Value                                                              |
| -------------- | ------------------------------------------------------------------ |
| Algorithm      | **AES-256-GCM** (authenticated encryption)                         |
| Key management | **AWS KMS** Customer-managed Key                                   |
| Integrity      | GCM mode Auth Tag verification                                     |
| When applied   | Encrypted directly in the verification processing layer before PUT |

→ As a result, sensitive fields are stored in a **doubly encrypted** state (application-layer AES-256-GCM + server-side AES-256).

### 5.3 Object Storage (Reference)

Images (ID documents and selfies) are stored in AWS S3 with KMS-based server-side encryption applied.

### 5.4 Encryption in Transit

| Segment                            | Method                         |
| ---------------------------------- | ------------------------------ |
| Verification processing → DynamoDB | TLS 1.2+ (enforced by AWS SDK) |
| DynamoDB → backup/PITR             | AWS internal encryption (KMS)  |
| Cross-Region Replication           | AWS internal encryption (KMS)  |

***

## 6. Authentication and Authorization

### 6.1 Caller Authentication

* Callers must hold valid **AWS IAM credentials**
* The verification processing layer (Lambda / EC2) is automatically granted credentials via IAM Role
* Credentials are automatically rotated as short-lived tokens (STS Token)

### 6.2 Authorization

* **Per-table / per-operation** permission control via IAM Policy
* Least Privilege principle applied

***

## 7. Integrity

| Layer               | Integrity Assurance Method                                                             |
| ------------------- | -------------------------------------------------------------------------------------- |
| AWS DynamoDB        | All writes are synchronously replicated across multiple AZs with checksum verification |
| Application payload | AES-256-GCM Auth Tag verification                                                      |
| TLS channel         | TLS 1.2+ built-in integrity (AEAD / HMAC)                                              |

***

## 8. Access Control and Isolation

### 8.1 Network Layer

* No direct exposure to the public internet
* Dedicated to AWS internal communication (public endpoint, but IAM acts as gatekeeper)
* **VPC Gateway Endpoint** enforces communication over the AWS backbone

### 8.2 IAM Isolation

* Separate IAM Role per service
* Operators, developers, and automation tools have separate IAM users and groups
* Multi-Factor Authentication (MFA) enforced (console access)

### 8.3 Environment Isolation

* Live / Test tables operated separately
* Data movement between environments is performed only through an explicit migration procedure

***

## 9. Logging and Auditing

### 9.1 Application Auditing

* Domain events recorded in a separate audit table (KYC submission status changes, administrator actions, etc.)
* All audit records follow an append-only policy (immutable)

### 9.2 Retention

* CloudTrail logs: automatically retained for 90 days in the AWS console; long-term retention requires separate S3 storage
* DynamoDB backup (PITR): point-in-time recovery available for up to 35 days
* On-demand backup: no retention limit

***

## 10. Compliance

### 10.1 ARGOS Identity Held Certifications

* **ISO/IEC 27001** — International standard certification for information security management systems

### 10.2 AWS DynamoDB Certifications (Inherited)

* SOC 1 / SOC 2 / SOC 3
* ISO 9001 / 27001 / 27017 / 27018
* PCI-DSS Level 1
* HIPAA Eligible
* FedRAMP Moderate
* IRAP, MTCS, FIPS 140-2 Level 3 (KMS)

### 10.3 Data Subject Rights Response

* Procedures in place to identify and process data subject rights requests (access, rectification, erasure) under applicable privacy laws / GDPR
* Subject to a separate processing agreement between the data controller and processor

***

## Appendix A. Glossary

| Term            | Definition                                                 |
| --------------- | ---------------------------------------------------------- |
| DynamoDB        | AWS serverless NoSQL database service                      |
| SigV4           | AWS Signature Version 4 — standard for signing API calls   |
| KMS             | AWS Key Management Service (FIPS 140-2 Level 3 HSM)        |
| PITR            | Point-in-Time Recovery                                     |
| DAX             | DynamoDB Accelerator (in-memory cache)                     |
| AEAD            | Authenticated Encryption with Associated Data              |
| IAM Role        | AWS Identity and Access Management role                    |
| MFA             | Multi-Factor Authentication                                |
| Optimistic Lock | Optimistic concurrency control based on conditional writes |

***

## Appendix B. Contact

For technical inquiries regarding this document, please contact ARGOS Identity through the sales or technical support channel.
