Introduction

Secure Architecture on AWS

Amos V4 is hosted on Amazon Web Services (AWS), leveraging industry-standard managed services to ensure reliability, performance, and compliance.

Key components include:

• CloudFront: Distributes both static and dynamic content globally with low latency, while adding automatic DDoS protection backed by AWS Shield Standard and caching.
• API Gateway: Provides a secure, scalable entry point for all APIs, with throttling, OAuth 2.0, and protocol translation built in.
• Cognito: Manages secure logins with MFA, integrates with enterprise IdPs (e.g., Azure AD, EntraID), and ensures strong OAuth 2.0-based API access.
• RDS: Delivers ACID-compliant data storage with automatic backups, failover, and dedicated VPC isolation.
• Elastic Beanstalk & Lambda: Elastic Beanstalk manages containerised workloads, while AWS Lambda powers serverless execution with automatic scaling.
• CloudWatch & WAF: Centralised monitoring, alerting, and protection against common exploits such as SQL injection or XSS.
• Dedicated VPCs: Each client is isolated in its own VPC, ensuring no cross-tenant data movement and simplifying compliance.

By default, Amos provisions live environments in AWS Dublin (EU-West-1) with disaster recovery in AWS Frankfurt (EU-Central-1). However, data residency is fully configurable — institutions can select preferred AWS regions globally to meet local compliance, regulatory, or strategic requirements.

Amos is designed with a cloud-agnostic architecture and can be deployed to Azure or Google Cloud on request, though AWS remains the primary supported platform.

Internal Security Processes

Security at Amos goes beyond technology. Our internal processes ensure ongoing protection and resilience:

• Secure SDLC: Code is reviewed, dependencies scanned, and security testing performed at every stage.
• CI/CD Pipelines: Automated deployments reduce human error and enforce consistency.
• Access Controls: MFA enforced for all Amos personnel; client environments remain isolated.
• Audit & Monitoring: CloudWatch integrates with the Amos app for detailed log visibility.
• Release Management: Major releases are deployed 3–4 times a year, with hotfixes delivered rapidly when needed.
  

To provide confidence, Amos undergoes regular third-party penetration testing across application, infrastructure, and APIs.

• Findings are remediated swiftly, with retesting to validate fixes.
• Tests cover OWASP Top 10, API exploits, and infrastructure vulnerabilities.
  

Amos practices and controls are designed to support compliance with GDPR, ISO 27001, HIPAA, and similar frameworks.

Disaster Recovery & Business Continuity

Amos is resilient to outages and failures, including regional AWS issues:

• By default, Amos deploys live environments in AWS Dublin with disaster recovery in AWS Frankfurt. If required, institutions can choose alternative primary and failover regions globally to meet specific compliance or operational requirements.
• Backups: Source code, AMIs, and RDS snapshots are backed up securely to S3.
• IaC: Terraform scripts enable rapid infrastructure recovery.

Data Protection & Compliance

Amos ensures client control over data retention policies. Each institution defines how long data is stored, with encryption options (AWS KMS for RDS, S3 server-side encryption).

Key principles:

• No multi-tenancy — every client has a fully isolated environment.
• All data in transit is encrypted (TLS 1.2+, with support for TLS 1.3 where available).
• APIs are OAuth 2.0-only, with IP whitelisting supported for additional security.
• No client data is stored on end-user devices.
  

This approach simplifies compliance with GDPR, HIPAA, and ISO 27001 by ensuring clean, tenant-specific audit trails.