oklido
Help CenterSign In

Encryption

oklido uses industry-standard encryption to protect your documents and data.

Encryption at Rest

All stored data is encrypted using AES-256:

Data TypeEncryptionKey Management
DocumentsAES-256AWS KMS
DatabaseAES-256AWS RDS encryption
BackupsAES-256AWS KMS
LogsAES-256AWS CloudWatch

AWS Key Management Service (KMS)

We use AWS KMS for encryption key management:

  • Keys are stored in dedicated hardware security modules (HSMs)
  • Automatic key rotation every year
  • Keys never leave AWS KMS unencrypted
  • Full audit trail of key usage

Encryption in Transit

All data transmitted to and from oklido is encrypted:

ConnectionProtocolMinimum Version
Web trafficTLS1.2 (1.3 preferred)
API callsTLS1.2 (1.3 preferred)
Database connectionsTLS1.2
Internal servicesTLS1.2

TLS Configuration

  • Protocols: TLS 1.2 and 1.3 only (older versions disabled)
  • Cipher suites: Strong ciphers only, no known vulnerabilities
  • Perfect Forward Secrecy: Enabled
  • HSTS: Enforced with preload

Document Storage

Documents are stored in AWS S3 with multiple layers of protection:

  1. Server-side encryption (SSE-KMS)

    • Documents encrypted before writing to disk
    • Decrypted only when accessed by authorised users

  2. Bucket policies

    • Public access blocked
    • Access restricted to oklido application

  3. Access logging

    • All access attempts logged
    • Audit trail for compliance

Database Encryption

PostgreSQL database (AWS RDS) encryption:

  • Storage encryption: AES-256
  • Connection encryption: TLS required
  • Backup encryption: Same key as primary

Application-Level Security

Beyond infrastructure encryption:

  • Sensitive fields: Additional encryption for PII
  • API keys: Hashed, never stored in plain text
  • Session tokens: Cryptographically secure random generation
  • Password hashing: bcrypt with appropriate cost factor

What We Don't Encrypt

For performance and functionality:

  • Document metadata (titles, types) - needed for search
  • Audit logs - needed for compliance
  • Usage analytics - aggregated, anonymised

These items are still protected by access controls and database encryption.

Verifying Encryption

You can verify our encryption:

  1. Check the padlock in your browser address bar
  2. View certificate details - issued to oklido.com
  3. Test with SSL Labs - we score A+

Compliance

Our encryption meets requirements for:

  • GDPR Article 32 - Security of processing
  • Cyber Essentials Plus - Cryptographic controls
  • SOC 2 - Encryption requirements

View full compliance documentation →