Skip to main content

TLS for Data Transmission

Transport Layer Security (TLS) is enabled for all data transmissions to ensure the confidentiality and integrity of data in transit. While the platform does not collect or process cardholder data, all external and internal communications are secured via TLS or mutual TLS (mTLS).

  1. No Cardholder Data Processed

    The platform does not collect or transmit cardholder data. However, secure data handling principles are still enforced throughout the system.

  2. TLS for External Communication

    All client-facing APIs are served over HTTPS/TLS using Go’s tls.Listen and a custom rpctls module. The application loads trusted certificates from disk and enforces TLS v1.2+.

  3. TLS for Internal Services

    All service-to-service communication between components (e.g., AMRS, Custodian, IAM) occurs over TLS connections. Services are initialized with a consistent configuration that enforces TLS encryption and, optionally, client certificate validation for mutual TLS (mTLS).

  4. Configurable TLS Settings

    TLS settings such as certificate paths, trust bundles, and allowed SANs are configured per-environment via the application configuration (cfg).

See 0003-mtls-between-services.md for more information.