oklido
Help CenterSign In

Infrastructure Security

oklido runs on enterprise-grade cloud infrastructure with multiple layers of security.

Cloud Provider

We use Amazon Web Services (AWS) for all infrastructure:

CertificationStatus
SOC 1/2/3Certified
ISO 27001Certified
PCI DSS Level 1Certified
FedRAMPAuthorised
GDPRCompliant

Data Residency

All oklido data is stored in the UK:

  • Primary region: AWS London (eu-west-2)
  • No data transfer outside the UK/EU
  • GDPR compliant data handling

Network Security

Virtual Private Cloud (VPC)

  • Isolated network environment
  • Private subnets for databases
  • Public subnets for load balancers only
  • Network ACLs and security groups

Web Application Firewall (WAF)

Protection against common attacks:

  • SQL injection
  • Cross-site scripting (XSS)
  • Rate limiting
  • Geographic restrictions (optional)

DDoS Protection

  • AWS Shield Standard (included)
  • Automatic attack detection
  • Traffic scrubbing

Compute Security

Container Security

  • Applications run in isolated containers
  • Minimal base images
  • No root access
  • Regular security updates

Secrets Management

  • AWS Secrets Manager for credentials
  • Environment variables for configuration
  • No secrets in code or logs
  • Automatic rotation where possible

Database Security

PostgreSQL (AWS RDS)

  • Private subnet only (no public access)
  • Encrypted storage and connections
  • Automated backups
  • Point-in-time recovery

Access Control

  • IAM-based authentication
  • Separate credentials per service
  • Read replicas for high availability

Storage Security

Document Storage (S3)

  • Server-side encryption (AES-256)
  • Versioning enabled
  • Access logging
  • Cross-region replication for backups

Bucket Policies

  • Public access blocked
  • Presigned URLs for downloads
  • Time-limited access

Monitoring & Logging

What We Log

  • All API requests
  • Authentication events
  • Security events
  • Error conditions

Log Security

  • Encrypted in CloudWatch
  • Retained for 90 days
  • Immutable (append-only)
  • SIEM integration

Alerting

Real-time alerts for:

  • Security incidents
  • Unusual activity patterns
  • System errors
  • Performance issues

Backup & Recovery

Backup Schedule

DataFrequencyRetention
DatabaseDaily30 days
DocumentsReal-time replicationIndefinite
ConfigurationOn change90 days

Disaster Recovery

  • RTO (Recovery Time Objective): 4 hours
  • RPO (Recovery Point Objective): 1 hour
  • Regular DR testing
  • Documented runbooks

Learn more about backup and recovery →

Vulnerability Management

Scanning

  • Automated vulnerability scanning (weekly)
  • Dependency scanning in CI/CD
  • Container image scanning
  • Infrastructure scanning

Patching

  • Critical patches: Within 24 hours
  • High severity: Within 7 days
  • Medium/Low: Within 30 days

Penetration Testing

  • Annual third-party penetration tests
  • Remediation tracking
  • Re-testing of findings
  • Executive summary available on request

Physical Security

AWS data centres provide:

  • 24/7 security personnel
  • Biometric access controls
  • Video surveillance
  • Environmental controls

We don't operate our own data centres.

Compliance

Our infrastructure meets requirements for:

  • Cyber Essentials Plus
  • GDPR
  • SOC 2 Type II (in progress)

View full compliance documentation →