2.7.3 Core Security Controls

2.7.3 Data Protection & Privacy

1. Encryption at Rest

• AWS RDS for PostgreSQL with encryption enabled (AES-256).

• S3 buckets (if storing user-uploaded files) also encrypted by default (AES-256).

• KMS (Key Management Service) for managing cryptographic keys.

2. Storage Policies

• Keep PII (email, username, wallet addresses) separate from less sensitive data where possible.

• Implement a data retention policy: what data is kept, for how long, and how it’s securely deleted or archived.

3. Access Control

• Least Privilege Principle for internal staff and system components—only the minimal necessary permissions to do their jobs.

• Database credentials stored in AWS Secrets Manager or a similar secure vault, never in plain text or code repos.

4. Personal Data & GDPR

• Provide Data Subject Rights (access, rectification, erasure) for EU residents.

• Display cookie consent banners and privacy policies for compliance.

• Track user consent for data usage (marketing, analytics).