Your data is safe with us

Cloud Infrastructure

Salvinta runs entirely on Amazon Web Services (AWS) in the EU West 1 region (Ireland). All infrastructure is managed through code — there are no manually-configured servers or third-party hosting providers involved.

• Compute: AWS Lambda (serverless) — no persistent hosts to patch or compromise
• Database: Amazon DynamoDB — fully managed, highly available, encrypted at rest
• Storage: Amazon S3 with server-side encryption (SSE-S3)
• CDN & Edge: Amazon CloudFront with HTTPS enforcement
• API: AWS API Gateway v2 (HTTP API) with CORS restrictions
• AI: Amazon Bedrock (Advanced plan only) — queries are never used to train AWS models

Encryption

All data is protected with strong encryption both at rest and in transit.

• In transit: All communication uses TLS 1.2 or higher. HTTP connections are redirected to HTTPS by CloudFront. HSTS is enforced.
• At rest: DynamoDB tables and S3 buckets are encrypted at rest using AES-256 managed keys (AWS SSE).
• Passwords: Salvinta does not store passwords. Authentication is delegated entirely to Amazon Cognito, which handles password storage, hashing, and credential rotation.

Authentication & Access Control

User authentication is handled by Amazon Cognito, a managed identity provider with enterprise-grade security controls.

• JWT tokens: All API requests are authenticated with signed JWT access tokens. Tokens expire after 1 hour.
• Role-based access: Each user is assigned a role (Admin, Manager, User) that controls what they can view and modify within their tenant.
• Tenant isolation: All DynamoDB records are partitioned by tenantId. Every API endpoint validates that the requesting user belongs to the correct tenant — there is no cross-tenant data access.
• No shared databases: While data co-exists in the same DynamoDB tables, every query is enforced server-side to only return records for the authenticated tenant.
• MFA-ready: Amazon Cognito supports TOTP-based MFA. Contact support to enable it for your organisation.

Network Security

• CORS: API Gateway enforces strict Cross-Origin Resource Sharing (CORS) headers. Only approved origins can call the API.
• API authentication: All API endpoints (except signup/login) require a valid Bearer JWT token. Unauthorized requests receive HTTP 401.
• HTTPS-only: CloudFront is configured to redirect all HTTP requests to HTTPS. There is no non-TLS access path to any Salvinta endpoint.
• Lambda isolation: Each Lambda function runs in an isolated execution environment with the minimum IAM permissions required for its purpose (least-privilege).

AI & Data Processing (Advanced Plan)

For Advanced plan customers, AI features are powered by Amazon Bedrock.

• No training: Per AWS's Bedrock terms, prompts and completions are not used to train foundation models.
• Data minimisation: Only the specific evidence snippets relevant to your AI query are sent to Bedrock. We do not send complete database exports.
• EU processing: Bedrock requests are made from Lambda running in eu-west-1. Data does not leave the EU region.
• Opt-in: AI features are only active on the Advanced plan and must be explicitly used by your users.

Audit Logging & Monitoring

• Application audit log: All create, update, and delete operations within Salvinta are recorded in a per-tenant audit log with timestamp, user, and change detail.
• CloudWatch: All Lambda functions log to AWS CloudWatch Logs. Retention periods are set per our internal policy.
• Infrastructure logging: AWS CloudTrail is enabled to record all API calls to AWS services in the account.

Responsible Disclosure

If you discover a security vulnerability in Salvinta, please report it responsibly by emailing security@salvinta.com. We aim to acknowledge all reports within 3 business days and investigate all credible findings promptly.

Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.