Bastion
Encrypted by default. Private by design.
Bastion is the security architecture that protects your data at every layer. From AES-256-GCM encryption to JWT authentication, from tenant isolation to rate limiting — security is not a feature, it's the foundation.
Every sensitive value in Pulse is encrypted before it touches the database. OAuth tokens, API keys, and credentials use AES-256-GCM authenticated encryption. Production secrets live in AWS Secrets Manager with automatic rotation.
Authentication flows through AWS Cognito with JWT tokens verified on every request and every WebSocket message. No exceptions. Rate limiting prevents abuse. Input validation guards every endpoint. Tenant isolation ensures your data can never be accessed by another user.
Security Architecture
AES-256-GCM Encryption
All sensitive data encrypted at rest with authenticated encryption. Keys are derived from secure secrets, not stored alongside data.
AWS Cognito Auth
User authentication via AWS Cognito with JWT tokens, MFA support, configurable password policies, and secure session management.
Secrets Manager
Production credentials stored in AWS Secrets Manager. Automatic rotation, IAM access control, audit logging, and 5-minute cache TTL.
Encrypted Database
PostgreSQL on AWS RDS with encryption at rest. Application-level field encryption for tokens and keys adds a second layer.
Token Refresh
Background service proactively refreshes OAuth tokens 5 minutes before expiration. Combined with central 401 detection and automatic cache invalidation, integrations never lose access.
Session Expiry Detection
Periodic checks every 5 minutes detect expired JWT sessions. Automatic Cognito token refresh or clean redirect to login — connections never silently fail.
Unified Encryption
Single AES-256-GCM encryption module shared across all services. Backward-compatible format detection ensures tokens encrypted by any service are readable everywhere.
Tenant Isolation
All queries, API calls, and file access are scoped by tenant ID. No cross-tenant data leakage is architecturally possible.
Rate Limiting
Redis sliding window rate limiting per tenant and plan tier. Prevents abuse while ensuring fair resource allocation.
Input Validation
Zod schemas validate every API request and WebSocket message. Malformed input is rejected before reaching business logic.
JWT Verification
Every HTTP request and WebSocket message verifies JWT against Cognito JWKS. No unauthenticated access to any endpoint.
Infrastructure Security
AWS VPC with private subnets, NAT gateway, security groups, and ECS Fargate for container isolation. No SSH access to production.
Centralized Error Logging
All errors from gateway, API, and web are logged to a unified error_logs table — never exposed to users. Admin dashboard provides filtering, bulk resolve, and circuit breaker visibility.
GDPR Compliance
Full data portability: export memories, conversations, and files. Disconnect integrations instantly. Delete account and all data permanently.
How Bastion protects you
Request authenticated
Every request verifies the JWT token against AWS Cognito JWKS. Invalid tokens are rejected immediately.
Rate limits checked
Redis sliding window ensures the request is within plan limits. Exceeded limits return clear error responses.
Input validated
Zod schemas validate the request body, params, and headers. Malformed or suspicious input is rejected.
Data encrypted
Any sensitive data written to the database is encrypted with AES-256-GCM. Read operations decrypt transparently.