Implicit
Start Free

Security

Security and data protection at Implicit.

Security is at the heart of what we do. Implicit delivers trusted, source-backed knowledge to people and AI agents, so protecting the data behind those answers is a first-class priority. This page summarizes the controls we apply across our AWS infrastructure and application components.

Last updated June 24, 2026

Overview

Implicit's platform runs on Amazon Web Services and is built so that customer data is encrypted in transit and at rest, access is restricted to authorized identities, and public exposure is minimized by default. The matrix below details the security and compliance posture of each service and component in our stack, along with links to the underlying vendor documentation.

Security & data protection measures

Across AWS and application components.

Storage

Amazon S3

  • Encryption at rest: Server-side encryption is enabled by AWS by default for all new objects.
  • Encryption in transit: All requests are served over HTTPS / TLS 1.2+.
  • Public access: Current buckets are configured with public access blocked.
References S3 Server-Side Encryption Default Bucket Encryption
Content delivery

Amazon CloudFront

  • Encryption in transit: All viewer connections are redirected from HTTP to HTTPS (TLS 1.2+). CloudFront also communicates with origins such as S3 over HTTPS, ensuring end-to-end encryption in transit.
  • Encryption at rest: Content cached at AWS edge locations is encrypted at rest with AES-256 by default, managed by AWS.
  • Origin security: Origin access is restricted using HTTPS and AWS-managed authentication, ensuring only CloudFront can retrieve content from S3.
References Data Protection in Amazon CloudFront CloudFront Security Overview
AI / inference

Amazon Bedrock

  • Encryption in transit: AWS uses TLS 1.2+ encryption for all API calls.
  • Encryption at rest: Fully managed via AWS-owned keys.
  • Privacy protection: AWS confirms prompts and completions are not logged, stored, or used for model training.
References Bedrock Data Encryption Bedrock Data Protection & Privacy
Graph database

Neo4j

  • Encryption in transit: All connections are enforced to use bolt+s with an SSL/TLS certificate.
  • Encryption at rest: Not native; achieved via EBS volume encryption (planned).
  • Public access: Currently allowed, with a plan to disable it.
References Neo4j SSL Framework Guide
Relational database

Amazon Aurora (PostgreSQL)

  • Encryption at rest: We enabled encryption with the AWS default KMS key (AES-256), applied to data, logs, backups, and snapshots.
  • Encryption in transit: SSL/TLS 1.2+ connections are enforced between clients and the cluster.
  • Public access: No public access; deployed in a private network reachable only by authorized identities.
References Aurora Encryption Overview Encrypting Data in Transit RDS Security Best Practices
Application access

App & internal services (SSO layer)

  • Authentication: Centralized single sign-on replaces long-lived credentials such as username and password.
  • Encryption: HTTPS is used for all public application endpoints.
Workloads

Workload images

  • Image hardening: All container images undergo automated, periodic vulnerability scanning and updates to maintain near-zero known CVEs.
Identity & credentials

Keycloak

  • In transit: All communication between the browser and the Keycloak server is encrypted using HTTPS/TLS, which prevents man-in-the-middle attacks and keeps credentials secure as they travel over the network.
  • At rest: Passwords are never stored in plain text. Keycloak hashes them with a strong, one-way algorithm such as PBKDF2 and adds a unique salt to each password before storing it, so the original password cannot be recovered even if the database is compromised.
  • External identity providers (SSO): When using an external provider such as SSO, Keycloak relies on that server to handle password hashing.

Further enhancements to strengthen data protection

While our current use of AWS-owned or AWS-managed KMS keys offers a secure and compliant base, transitioning to Customer Managed Keys (CMK) could provide enhanced governance and flexibility. This would enable more precise control over key lifecycle management, rotation, and access policies, alongside improved audit visibility and compliance alignment.

For Amazon S3, Dual-Layer Server-Side Encryption (DSSE-KMS) could add an extra layer of protection for sensitive or regulated data by employing two distinct KMS keys. Client-Side Encryption (CSE) could also be introduced for workloads that require encryption to occur entirely within the client environment before data reaches AWS, so that AWS only stores ciphertext and never has access to plaintext data or encryption keys.

In addition to encryption controls, enabling the AWS Web Application Firewall (WAF) in front of public-facing endpoints, particularly those served through CloudFront or an Application Load Balancer (ALB), can significantly strengthen the overall security posture. AWS WAF helps protect applications from common web exploits such as SQL injection and cross-site scripting, allows fine-grained control over HTTP/S traffic, and provides real-time monitoring and blocking to mitigate malicious activity before it reaches backend services.

Contact

If you have questions about our security practices or would like to report a security concern, contact us at support@implicit.cloud.