Specifications — Technical Details

Encryption

Technical specifications for encryption at rest, in transit, and the customer-managed KMS key model — including IAM permission boundaries, CloudTrail audit logging, and the CMEK pattern.

← Back to Specifications

Encryption At Rest

Data StoreAlgorithmKey ManagementNotes
Aurora PostgreSQLAES-256AWS managed key (aws/rds)Customer-managed KMS key in customer account
Amazon S3AES-256 (SSE-S3 / SSE-KMS)SSE-S3 (AWS managed)SSE-KMS with customer-managed key
EBS volumes (EC2 GPU)AES-256AWS managed keyAWS managed (ephemeral, no persistent data)
Secrets ManagerAES-256AWS managed key (aws/secretsmanager)AWS managed (PanOps infra account)
DynamoDB (state store)AES-256AWS managed keyAWS managed (PanOps infra account)

Encryption In Transit

ConnectionProtocolNotes
Browser → PanOps APITLS 1.2 / 1.3HTTPS enforced; HSTS header set
Connector workers → Platform APIsTLS 1.2+M365, Gmail, Slack, Zoom all require HTTPS
Connector workers → AuroraTLS (SSL mode required)Aurora SSL certificates verified in connection string
Connector workers → S3HTTPS (AWS SDK default)S3 bucket policy denies non-HTTPS requests
PanOps Shared Compute → Customer VPCVPC Peering (private)Traffic never traverses public internet; AWS backbone only
Webhook endpoints (SMS/voice)HTTPS + payload signature verificationHMAC or token signature verified per platform

Customer-Managed KMS Key

Each customer's dedicated AWS sub-account includes an AWS KMS Customer Managed Key (CMK) created specifically for that customer's data. This key is used to encrypt Aurora storage and S3 objects via SSE-KMS.

PanOps IAM Permissions on Customer KMS Key

PanOps's cross-account IAM role in the customer account is granted a strictly bounded set of KMS permissions. The key policy explicitly denies administrative operations:

{
  "Sid": "PanOpsServiceAccess",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<panops-shared-compute-account>:role/PanOpsServiceRole"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

// Explicitly NOT granted:
// kms:DeleteKey
// kms:DisableKey
// kms:ScheduleKeyDeletion
// kms:PutKeyPolicy
// kms:CreateGrant (administrative)
// Any IAM administration on the customer account
Key policy is enforced by AWS. KMS key policies are evaluated by the AWS KMS service, not by PanOps application code. PanOps cannot escalate its own permissions on the key without modifying the key policy — which requires IAM admin rights in the customer account, which PanOps does not have.

CloudTrail Audit Logging

Every KMS API call against the customer's key — including every encrypt and decrypt operation PanOps performs — is recorded in AWS CloudTrail within the customer's own AWS account. The customer controls this CloudTrail trail. PanOps cannot modify, delete, or suppress these log entries.

What's LoggedCloudTrail EventWho Can Read It
Every PanOps encrypt callkms:Encrypt — includes caller ARN, timestampCustomer only (their CloudTrail)
Every PanOps decrypt callkms:Decrypt — includes caller ARN, timestampCustomer only
Key policy changeskms:PutKeyPolicyCustomer only
Key disable / deletionkms:DisableKey / kms:ScheduleKeyDeletionCustomer only

Kill Switch Mechanics

The customer can revoke PanOps data access immediately and unilaterally by acting on their KMS key. No notice to PanOps is required. No contractual process is required. The action is entirely within the customer's AWS account.

ActionImmediate EffectReversible?
Disable KMS keyAll PanOps kms:Decrypt calls fail immediately. Service stops. Data remains encrypted in Aurora/S3.Yes — re-enable key to restore service
Delete KMS key (30-day pending)Same as disable during pending window; key deleted after 30 daysCancellable within 30-day window
Delete KMS key (after 30 days)Data permanently inaccessible to all parties, including customerNo — permanent
Remove PanOps from key policyPanOps cannot use key; same effect as disableYes — re-add PanOps to key policy
CMEK model classification. This is an auditable CMEK model, consistent with the approach used by Snowflake (Tri-Secret Secure), Google Workspace CMEK, and Salesforce Shield. The key lives with the customer; the vendor can decrypt only while the key is active. This is distinguished from fully zero-knowledge encryption where the vendor cannot decrypt at all — PanOps must decrypt to process data, but the customer can revoke that access at any time.

Encryption Summary

RequirementArchitectureNotes
Data at rest encrypted✓ AES-256✓ AES-256
Data in transit encrypted✓ TLS 1.2+✓ TLS 1.2+
Key managed by customer✗ PanOps-managed✓ Customer AWS KMS CMK
Key in customer's account✓ Dedicated customer sub-account
Customer can revoke accessContractual only✓ Structural kill switch (disable/delete KMS key)
All key usage auditedAWS-side logging (PanOps controlled)✓ Customer-controlled CloudTrail in customer account
PanOps admin access to keyManaged key✗ No DeleteKey / DisableKey / PutKeyPolicy
← Back to overview
Deployment
Runs entirely within your own cloud environment, which is provisioned and managed by PanOps. No data ever leaves your infrastructure.
Intelligence Model
PanOps-hosted AI model — deployed and managed inside your cloud environment. By design, no customer communications data is transmitted to any external service or third-party API.
CEO Signal™ Interface
Ask any question about your organization. Receive answers sourced from real communications.