Overview

Darwinium can be configured to store event data on your own infrastructure using Amazon S3. Sensitive Personally Identifiable Information (PII) is encrypted by the edge worker, and is stored directly onto your S3 bucket, without clear-text data touching Darwinium’s SaaS services.

Technical Architecture Overview

Writing data to your S3 bucket

1. An end user device makes a HTTP request to an endpoint on your infrastructure. If this endpoint is mapped to a journey step,  a Darwinium worker is invoked on your CDN infrastructure (Cloudflare, Cloudfront)
2. In parallel:
   1. Darwinium worker uses customer public key to encrypt sensitive data, and sends this to your s3 bucket using write-only credentials
   2. Data is anonymized using a 1-way elliptic hashing function, and sent to the Darwinium node. This provides indexing capabilities for future forensic searches and event lookups.

Reading data from your S3 bucket

1. A fraud/security analyst makes a query to your Darwinium node- eg: identity['ACCOUNT'].username.username = 'janedoe@example.com'
   When this happens, a request is sent from the analysts browser to Darwinium's data services, containing a cryptographically signed JSON Web Token (JWT) bound to the querying user
2. JWT claim is used by Darwinium data services to unlock read-only S3 credentials from our secure vault
3. Data services make a request to your S3 bucket to retrieve encrypted/hashed event data blob(s).
4. Darwinium data services unlock PII private key for decryption (if this is permitted for the user)
5. Blobs are decrypted
6. Event data is returned to the analyst