KwikID DocumentationSecurity and Compliance
Encryption at rest and in transit, access control, and banking compliance controls for Kwik Vault
Security and Compliance
Kwik Vault applies bank-grade security across every layer: encrypted storage and transport, department-scoped access control, append-only audit, and tenant isolation per deployment instance.
Overview
Documents in Kwik Vault contain sensitive customer and operational data. The platform encrypts data at rest and in transit, restricts access through RBAC and SSO, and records every read and write in a tamper-evident audit trail aligned with regulatory examination expectations.
Encryption at Rest
| Layer | Protection |
|---|---|
| Object storage | Document blobs encrypted with AES-256; keys managed by the cloud KMS or on-prem HSM per deployment policy |
| Relational store | Metadata, workflow state, and audit chain encrypted at the storage volume level |
| Search index | Index volumes encrypted; sensitive customer reference fields stored per tenant indexing policy |
| Backups | Backup snapshots inherit the same encryption as primary storage; keys never stored alongside ciphertext |
Encryption keys rotate per institution policy. Key material does not appear in application configuration or integrator payloads.
Encryption in Transit
| Path | Protection |
|---|---|
| Integrator APIs | TLS 1.2+ on all REST endpoints (/api/v1/*) |
| Web portal | HTTPS-only; HSTS enforced on production deployments |
| Identity federation | SAML/OIDC tokens exchanged over TLS between bank IdP and Vault identity service |
| Internal services | Service-to-service traffic encrypted within the deployment network zone |
Integrators must use https:// base URLs in production. Plain HTTP is blocked at the gateway.
Access Control
- Portal users: Corporate SSO with department and branch scope from identity claims.
- Integrators: Service users and bearer tokens minted on API Keys; scoped to ingest, search, and audit operations.
- Super admins: Trash recovery, permanent deletion, and configuration changes require elevated privileges.
- Approvers: Act only on documents within their assigned department.
Every access decision is logged in Audit.
Compliance Alignment
Kwik Vault supports banking compliance workflows:
- Unified audit trail: Append-only log with integrity chain for examination and forensic review.
- Retention and disposal: Configurable soft-delete retention and permanent purge per Storage and Lifecycle.
- Tenant isolation: Dedicated deployment instance per institution; no cross-bank data commingling.
- Approval governance: New versions enter
pendinguntil department approvers act in Approvals.
Benefits
- Data protection: Encryption at rest and in transit protects customer documents end to end.
- Examination readiness: Audit export and access logs support regulatory reviews.
- Least privilege: Department-scoped RBAC limits exposure to authorized staff only.
Next Steps
- Backup and Disaster Recovery: DC/DR and department backup policies
- Audit: activity monitoring and CSV export
- Architecture: tenancy and access model
- Introduction: back to Kwik Vault overview