Confidence in the carbon market starts with confidence in your data’s security.
Your data is encrypted at rest
All customer data in our data stores is encrypted while at rest. Moreover, sensitive collections and tables are encrypted at the row level. Because data is encrypted prior to being stored in the database, neither physical nor logical access to the database alone is sufficient to access any sensitive data.
Your data is encrypted in transit
Patch uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. In addition, Patch uses HTTP Strict Transport Security to maximize the security of in-transit data. Server TLS keys and certificates are managed by Amazon Web Services.
Your secrets are protected
Patch’s encryption keys (256-bit Advanced Encryption Standard) are managed via AWS Key Management System (KMS). KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals — including employees of Amazon and Patch. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs. Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.
Access is limited and documented
Patch adheres to the “Principle of Least Privilege,” which ensures that access to any production system or datastore is limited to only those with a legitimate business need and only granted for the minimum time needed. All access requests are documented.
Patch employs constant vulnerability scanning:
- Static analysis of every code commit
- Third-party libraries and dependencies
- Real-time application threat detection
The Patch team holds ourselves to the highest standards of internal security.
Every Patch device is equipped with mobile device management software and anti-malware protection — all managed centrally.
Every Patch employee undertakes comprehensive security training during onboarding and every year thereafter. Engineers undertake additional training focused on secure coding principles and practices.
Network vulnerability scanning
Patch’s network systems are monitored for vulnerabilities to either internal or external threats.
Patch relies on Amazon GuardDuty to constantly monitor and protect our accounts from malicious activity.