Legal & Compliance
Classifying Data and Encrypting It in Transit and at Rest
Effective: May 26, 2026 · Next review: May 26, 2027 · Pythias Technologies, LLC
1
This policy defines how Pythias classifies the data it handles and the encryption standards applied to each classification level, both when data is stored (at rest) and when it is transmitted (in transit). All employees, contractors, and systems processing Pythias data must adhere to these standards.
2
Credentials, API keys, OAuth tokens, hashed passwords, signing secrets, and payment-adjacent data. Highest protection level. Must never appear in logs, commits, or plaintext storage.
End-customer PII (name, email, phone, address), client billing details, employee personal information, and internal financial data. Requires encryption at rest and in transit. Access limited to documented business need.
Client account data, operational analytics, design assets, production records. Encrypted in transit. Access limited to Pythias staff and the owning client.
Marketing content, public-facing documentation, published blog posts. No encryption requirement beyond standard HTTPS delivery.
3
All data transmitted between clients and Pythias services is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are not accepted.
HTTP is redirected to HTTPS on all public-facing endpoints. HSTS (HTTP Strict Transport Security) headers are enforced on production domains.
All API calls to third-party services (marketplace APIs, MongoDB Atlas, Wasabi, ShipStation, OpenAI) are made over HTTPS/TLS.
Internal inter-service communication uses authenticated, encrypted channels.
Webhook payloads received from third parties (Google Lead Forms, marketplace order hooks) are received over HTTPS and validated using HMAC signatures or shared secrets.
Email transmission of Confidential data must use encrypted email (TLS-secured mail delivery). Sensitive data should not be transmitted via unencrypted email where avoidable.
4
MongoDB Atlas encrypts all data at rest using AES-256. Encryption is managed by MongoDB and is applied automatically to all databases and backups.
Wasabi object storage uses server-side encryption (AES-256) for all stored objects by default.
Application servers store no persistent Confidential or Restricted data outside the encrypted database and storage services.
Endpoint devices used to access Pythias production systems must enable full-disk encryption (BitLocker on Windows, FileVault on macOS).
Backup files (database snapshots) are encrypted by the hosting provider (MongoDB Atlas) and are not stored in unencrypted form on any Pythias-controlled storage.
5
User passwords are hashed with bcrypt (cost factor >= 12) before storage. Plaintext passwords are never stored, logged, or transmitted.
Secrets (API keys, tokens, connection strings) are stored in environment variables or a secrets manager. They are excluded from version control.
NEXTAUTH_SECRET and all signing secrets are generated with sufficient entropy (minimum 256-bit) and rotated annually.
6
Restricted
Never log, print, or include in error messages.
Never store in plaintext anywhere — only hashed (passwords) or in secured environment configuration (API keys).
Rotate at least annually or immediately upon suspected compromise.
Confidential
Encrypt in transit (TLS) and at rest (AES-256 via hosting providers).
Access limited to named individuals with documented business need.
Deletion requests honored within 30 days.
Internal
Encrypt in transit. Do not share externally without authorization.
Public
Served over HTTPS. No additional encryption requirements.
7
This policy is reviewed annually (next review: May 26, 2027) and updated when encryption standards, infrastructure providers, or applicable regulations change.
© 2026 Pythias Technologies, LLC · All rights reserved
