Deployment
AWS
Security

Security and Data Policy

This page outlines the security measures and data policies for the core services of the Pontus Platform.

Data Policy Overview

The following table summarizes the data policies at rest surrounding the core services of the Pontus Platform:

ServiceStores Secrets/CredsStores Sensitive DataDeletion Policy
PontusN/A
PostgreSQLOn Request
Secrets ManagerOn Request
RedisAfter 24 hours
RabbitMQN/A
BedrockN/A

Services

PostgreSQL

Pontus uses Postgres to store:

  • Automations for your workspace
  • Users and their permissions in your workspace
  • Automation Runs for each automation
  • Credentials for authentication into 3rd party providers
  • Other application-specific configuration data/metadata

Pontus ensures the following for the Postgres service:

  • All secrets and other credentials are stored encrypted.
  • Users can only access data tied to the workspace they exist in and their need to know.
  • Any data deletion requests will be handled promptly.

AWS Secrets Manager

Pontus uses AWS Secrets Manager as its Vault to store:

  • Credentials for connecting to the database, cache, and queue

Pontus ensures the following for the Secrets Manager:

  • All credentials are stored encrypted.
  • Any credential deletion request will be handled promptly.

ElastiCache Redis

Pontus uses Redis to store:

  • Run data for actively and recently completed automations

Pontus ensures the following for the Redis service:

  • All data will be purged within 24 hours of storage.
  • No secrets or other credentials will be stored in Redis.

Amazon MQ RabbitMQ

Pontus uses RabbitMQ to store:

  • Queued automations and tasks to complete

Pontus ensures the following for the RabbitMQ service:

  • All data will be purged within 24 hours of storage.
  • No sensitive data of any kind will be stored in RabbitMQ.

AWS Bedrock

Pontus uses AWS Bedrock to prompt LLMs for AI automations:

  • Pontus currently uses Llama 3.1 70B for all automations

Pontus ensures the following for the AWS Bedrock service:

  • No sensitive data of any kind will be sent to AWS Bedrock

Pontus Container

Pontus ensures the following for the Pontus container:

  • The container will not store any sensitive data of any kind at rest.
  • All automations, automation runs, and container actions will be stored in the database and accessible by the clients.
  • Pontus will be the only service with access to the VPC with the database, cache, and queue.
  • Pontus will be the only service granted IAM-based access to the Secrets Manager and Bedrock Inference.
  • Pontus will only interact with the following services:
    • Postgres database
    • Redis cache
    • RabbitMQ queue
    • Bedrock LLM
    • Secrets Manager
    • Caddy API gateway
    • Third Party Providers
DeploymentIaC Example