All public-facing services use HTTPS configured with the “modern” TLS cipher suite, meeting current industry standards for encryption. Inter-component encryption also uses HTTPS communication with the same configuration backed by AWS IAM roles and further locked down by AWS security groups, which are both configured with a “deny-by-default” policy and a whitelist of only permitted services. Database connections also use TLS 1.2 encryption in “verify full” mode, which is the strongest level supported by the AWS RDS database.
All data stored is also encrypted at rest using AES-256 following Amazon’s best practice for doing so. The only exception to this is uploaded images that are used on the public-facing website in support articles and for branding, which are not encrypted.