πŸ“–Security

Security is designed in the architecture from the beginning. User requests are processed through the AWS API Gateway, which acts as the entry point. These requests are then directed to a Load Balancer within a VPC, ensuring that the internal services are not accessible from the public internet.

Security at the Gateway: AWS API Gateway

The AWS API Gateway plays a crucial role in security as the frontline defender of the ChatBees service. It simplifies the creation, publication, maintenance, monitoring, and security of APIs. The Gateway’s throttling feature limits the number of requests a user can make, protecting against DDoS attacks.

Security with Private VPC

After requests pass through the API Gateway, they are sent to the Load Balancer within the Private VPC. The Load Balancer distributes traffic to ChatBees’ Elastic Service layer, operating in a Private VPC to isolate the infrastructure from the public internet, thus reducing potential vulnerabilities.

Security in Transit and at Rest

ChatBees utilizes end-to-end HTTPS encryption, ensuring that data remains confidential and inaccessible to any unauthorized parties during transmission. ChatBees automatically encrypts stored data and vector indices, enhancing security against unauthorized access, even if the storage medium’s physical security is breached.

ChatBees integrates with AWS Key Management Service (KMS), assigning a unique encryption key to each account, used to encrypt sensitive data, limiting access to information to those with the corresponding key.

Bearer Token Authentication

Using Bearer token authentication enhances the security of SaaS services, protecting users and the business from threats. ChatBees requires all server requests to include a valid Bearer token for authentication, advising users to rotate their tokens regularly to reduce risks associated with compromised tokens.

OAuth Data Source Connection

ChatBees follows the standard OAuth authentication for connecting to a data source. ChatBees can only access a data source after the user grants the permission. Users have the option to disconnect a data source whenever they choose. Once disconnected, ChatBees loses access to the data source. For instance, users can connect a data source, ingest data to ChatBees, and then disconnect the data source immediately.

Users have the option to handle OAuth themselves. Through ChatBees Ingestion API, users can provide a temporary token, which ChatBees utilizes to fetch data from the data source. ChatBees doesn’t retain the token provided via the Ingestion API. The temporary token typically expires within an hour, after which anyone with that token will lose access to the data source.

Role-based access control (RBAC) β€” coming soon with user management

Private LLM β€” coming in the future

Last updated