πSecurity
Security is designed in the architecture from the beginning. User requests are processed through the AWS API Gateway, which acts as the entry point. These requests are then directed to a Load Balancer within a VPC, ensuring that the internal services are not accessible from the public internet.
Security at the Gateway: AWS API Gateway
The AWS API Gateway plays a crucial role in security as the frontline defender of the ChatBees service. It simplifies the creation, publication, maintenance, monitoring, and security of APIs. The Gatewayβs throttling feature limits the number of requests a user can make, protecting against DDoS attacks.
Security with Private VPC
After requests pass through the API Gateway, they are sent to the Load Balancer within the Private VPC. The Load Balancer distributes traffic to ChatBeesβ Elastic Service layer, operating in a Private VPC to isolate the infrastructure from the public internet, thus reducing potential vulnerabilities.
Security in Transit and at Rest
ChatBees utilizes end-to-end HTTPS encryption, ensuring that data remains confidential and inaccessible to any unauthorized parties during transmission. ChatBees automatically encrypts stored data and vector indices, enhancing security against unauthorized access, even if the storage mediumβs physical security is breached.
ChatBees integrates with AWS Key Management Service (KMS), assigning a unique encryption key to each account, used to encrypt sensitive data, limiting access to information to those with the corresponding key.
Bearer Token Authentication
Using Bearer token authentication enhances the security of SaaS services, protecting users and the business from threats. ChatBees requires all server requests to include a valid Bearer token for authentication, advising users to rotate their tokens regularly to reduce risks associated with compromised tokens.
OAuth Data Source Connection
ChatBees follows the standard OAuth authentication for connecting to a data source. ChatBees can only access a data source after the user grants the permission. Users have the option to disconnect a data source whenever they choose. Once disconnected, ChatBees loses access to the data source. For instance, users can connect a data source, ingest data to ChatBees, and then disconnect the data source immediately.
Users have the option to handle OAuth themselves. Through ChatBees Ingestion API, users can provide a temporary token, which ChatBees utilizes to fetch data from the data source. ChatBees doesnβt retain the token provided via the Ingestion API. The temporary token typically expires within an hour, after which anyone with that token will lose access to the data source.
Role-based access control (RBAC) β coming soon with user management
Private LLM β coming in the future
Last updated