# Data Security **African Wood Inc.** — 274 Liborio Dr., Middletown DE 19709 ## Encryption - **In transit:** All connections require TLS 1.3 (ALB policy `ELBSecurityPolicy-TLS13-1-3-2021-06`); plain-HTTP and legacy TLS are refused. - **At rest:** All stored data — including identity documents (SSNs, passports, KRA PINs) — is encrypted with AES-256 via AWS KMS customer-managed keys with automatic annual rotation. ## Access Control - Role-Based Access Control (RBAC) with least-privilege IAM roles. - Postgres Row-Level Security isolates every tenant at the database layer. - Administrator access requires mandatory multi-factor authentication. ## SOC 2 Type II Measures - **Continuous monitoring:** CloudTrail (multi-region, log-file validation), VPC Flow Logs, CloudWatch alarms, and AWS WAF managed rules. - **Immutable audit logs:** an append-only, hash-chained SQL ledger records every state transition, administrative override, and configuration change with timestamp, IP address, and user ID. UPDATE/DELETE are blocked at the database engine level. - **Availability:** Multi-AZ architecture, automated RDS backups (35-day retention), and ECS auto scaling. ## Regulatory Alignment - **United States:** operated to US federal security standards. - **United Kingdom:** African Wood Limited is registered with the Information Commissioner's Office (ICO). - **Kenya:** African Wood Inc. is registered with the Office of the Data Protection Commissioner (ODPC).