# Data Security
**African Wood Inc.** — 274 Liborio Dr., Middletown DE 19709
## Encryption
- **In transit:** All connections require TLS 1.3 (ALB policy
`ELBSecurityPolicy-TLS13-1-3-2021-06`); plain-HTTP and legacy TLS are refused.
- **At rest:** All stored data — including identity documents (SSNs,
passports, KRA PINs) — is encrypted with AES-256 via AWS KMS
customer-managed keys with automatic annual rotation.
## Access Control
- Role-Based Access Control (RBAC) with least-privilege IAM roles.
- Postgres Row-Level Security isolates every tenant at the database layer.
- Administrator access requires mandatory multi-factor authentication.
## SOC 2 Type II Measures
- **Continuous monitoring:** CloudTrail (multi-region, log-file validation),
VPC Flow Logs, CloudWatch alarms, and AWS WAF managed rules.
- **Immutable audit logs:** an append-only, hash-chained SQL ledger records
every state transition, administrative override, and configuration change
with timestamp, IP address, and user ID. UPDATE/DELETE are blocked at the
database engine level.
- **Availability:** Multi-AZ architecture, automated RDS backups (35-day
retention), and ECS auto scaling.
## Regulatory Alignment
- **United States:** operated to US federal security standards.
- **United Kingdom:** African Wood Limited is registered with the
Information Commissioner's Office (ICO).
- **Kenya:** African Wood Inc. is registered with the Office of the Data
Protection Commissioner (ODPC).