Security & Privacy

How we protect your data, your subscriptions, and our infrastructure.

Defense in Depth

Every request to The Trinity Beast passes through multiple layers of security before it reaches our servers. Each layer is designed to stop a different type of threat.

100%
%%{init: {'theme': 'base', 'flowchart': {'padding': 24, 'nodeSpacing': 35, 'rankSpacing': 45, 'useMaxWidth': true}, 'themeVariables': {'primaryColor': '#2a2f3d', 'primaryTextColor': '#e2e8f0', 'primaryBorderColor': '#d4a843', 'lineColor': '#60a5fa', 'secondaryColor': '#1a1f2e', 'tertiaryColor': '#0f172a', 'background': 'transparent', 'mainBkg': '#2a2f3d', 'nodeBorder': '#d4a843', 'fontFamily': 'inherit', 'fontSize': '11px'}}}%% flowchart TD USER["Visitor / API Client"] -->|HTTPS| CF USER ==>|UDP Direct| NLB USER -->|Checkout| STRIPE subgraph EDGE["Edge Protection"] CF["CloudFront CDN"] --> SHIELD["AWS Shield"] SHIELD --> WAF_CF["Website WAF"] end WAF_CF -->|Website| S3["S3 Static Site"] WAF_CF -->|API| ALB WAF_CF -.->|Blocked| BLOCK1["Rejected"] subgraph NETWORK["Network Layer"] ALB["ALB + TLS"] --> WAF_ALB["API WAF"] NLB["NLB + UDP"] end WAF_ALB -->|Allowed| ECS WAF_ALB -.->|Blocked| BLOCK2["Rejected"] NLB ==>|UDP Direct| ECS subgraph VPC["Private VPC"] ECS["ECS Fargate\n3 Nodes"] <-->|TLS| CACHE["Valkey Cache\n52 GB"] ECS <-->|TLS| DB["Aurora PostgreSQL"] end subgraph PAYMENTS["Payment Security"] STRIPE["Stripe\nPCI Level 1"] -->|Webhook| LAMBDA["Lambda\nSignature Verified"] SECRETS["Secrets Manager\nEncrypted Keys"] end LAMBDA --> DB subgraph MONITOR["Continuous Monitoring"] GD["GuardDuty"] CW["CloudWatch"] CT["CloudTrail"] VFL["VPC Flow Logs"] end subgraph AUTOOPS["AutoOps (5 Layers)"] EB_AO["EventBridge\n6 Rules"] SF_AO["Step Functions\nSelf-Heal"] BEDROCK["Bedrock AI\nThreat Analysis"] LAMBDAS["7 Lambda Functions\nGo Runtime"] ANOMALY["Anomaly Detection\n4 ML Models"] end ECS -.-> CW ALB -.-> CW WAF_ALB -.-> CW ECS -.-> GD CT -.-> GD VFL -.-> GD CW -->|"Alarm"| EB_AO GD -->|"HIGH Finding"| EB_AO EB_AO --> SF_AO EB_AO --> LAMBDAS LAMBDAS --> BEDROCK LAMBDAS -->|"Auto-block"| WAF_ALB SF_AO -->|"Restart"| ECS ANOMALY -.->|"Deviation"| CW linkStyle 1 stroke:#f97316,stroke-width:3px linkStyle 11 stroke:#f97316,stroke-width:3px classDef edge fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0 classDef network fill:#1a2744,stroke:#d4a843,color:#e2e8f0 classDef vpc fill:#0f172a,stroke:#10b981,color:#e2e8f0 classDef monitor fill:#1a1f2e,stroke:#a78bfa,color:#e2e8f0 classDef autoops fill:#1a1a2e,stroke:#f97316,color:#e2e8f0 classDef blocked fill:#7f1d1d,stroke:#ef4444,color:#fca5a5 classDef user fill:#2a2f3d,stroke:#d4a843,color:#e2e8f0 classDef payment fill:#1a2e1a,stroke:#facc15,color:#e2e8f0 class CF,SHIELD,WAF_CF edge class ALB,WAF_ALB,NLB network class ECS,CACHE,DB,S3 vpc class GD,CW,CT,VFL monitor class EB_AO,SF_AO,BEDROCK,LAMBDAS,ANOMALY autoops class BLOCK1,BLOCK2 blocked class USER user class STRIPE,LAMBDA,SECRETS payment

Diagram 1.1: Security Defense Flow — Every request passes through multiple protection layers

Legend

Edge Protection — CloudFront, Shield, Website WAF
Network Layer — ALB, API WAF, NLB (UDP)
Private VPC — ECS, Valkey Cache, Aurora DB
Monitoring — GuardDuty, CloudWatch, CloudTrail, Flow Logs
AutoOps — EventBridge, Step Functions, Bedrock AI, 7 Lambdas, Anomaly Detection
Payment Security — Stripe (PCI L1), Lambda webhook, Secrets Manager
Blocked — Rejected by WAF or rate limits
Solid line — Request flow (HTTPS / UDP)
UDP Flame Path — Bypasses CDN, WAF, and ALB for lowest latency
Dashed line — Monitoring / logging flow
Allowed — Passed all security checks
The UDP Flame PathThe gold path on the diagram shows the UDP direct route. It bypasses CloudFront, Shield, both WAFs, and the ALB — going directly from the Network Load Balancer to the container. This eliminates 5 network hops and delivers sub-millisecond response times for latency-critical applications like trading bots and real-time dashboards. TCP requests pass through every security layer. UDP trades that inspection for raw speed — the application still validates API keys and enforces rate limits at the container level.

DDoS Protection

AWS Shield Standard automatically absorbs volumetric attacks at the network edge. CloudFront distributes traffic across 400+ global edge locations, making it extremely difficult to overwhelm our infrastructure.

Automatic

Web Application Firewall

Two WAF layers inspect every request. Known malicious IPs are blocked on sight. SQL injection, cross-site scripting, and code injection attempts are detected and rejected before reaching our servers.

Real-Time

Rate Limiting

Multiple layers of rate limiting protect against abuse. The WAF blocks IPs exceeding 2,000 requests per 5 minutes. The application enforces per-tier QPS limits. Admin endpoints have a separate, stricter threshold.

Multi-Layer

Encryption Everywhere

All data is encrypted in transit (TLS 1.2+) and at rest. API traffic, database connections, cache communication, and website delivery — every path is encrypted. No exceptions.

TLS 1.2+

Threat Detection

AWS GuardDuty continuously analyzes network traffic, API calls, and DNS queries for signs of compromise — credential theft, cryptocurrency mining, unusual access patterns. Findings trigger immediate alerts.

Continuous

Honeypot Trap System

12 decoy endpoints disguised as common attack targets (/wp-admin, /.env, /.git/config). No legitimate user would ever access these paths. Any hit is logged with full forensics, and after 2 attempts from the same IP, automatic WAF blocking is triggered. A 2-second tarpit delay wastes scanner time before the block takes effect.

Deception Defense

Audit Trail

Every API call to our AWS infrastructure is logged by CloudTrail. VPC Flow Logs record all network traffic. Nothing happens without a record. Full accountability, full transparency.

Every Action Logged

Autonomous Operations (AutoOps)

A 5-layer intelligent operations system that monitors, defends, heals, and reports on the infrastructure autonomously. Self-heal first, notify second.

Self-Healing Infrastructure

When a health check fails, the system automatically identifies the affected node, restarts the ECS task, verifies recovery, and notifies the operator — all within 60 seconds, without human intervention.

Autonomous

AI Threat Analysis

Every 5 minutes, Amazon Bedrock (Claude) correlates WAF blocks, honeypot hits, rate limit violations, and usage anomalies to produce a threat assessment. HIGH or CRITICAL findings trigger immediate automated response.

AI-Powered

Predictive Anomaly Detection

CloudWatch machine learning models learn normal traffic patterns and alert on deviations — catching slow degradations that static thresholds miss. Request rate, latency, error rate, and cache performance are all monitored.

Machine Learning

Automated WAF Blocking

Honeypot repeat offenders and AI-identified threats are automatically added to the WAF block list. No manual intervention required. The system defends itself in real-time, 24/7.

Real-Time

Operational Digests

AI-generated daily and weekly operational summaries delivered by email. Every autonomous action is logged, every threat is documented, and trends are tracked over time.

Daily + Weekly

7 Lambda Functions

Self-heal, WAF management, notifications, honeypot processing, AI threat analysis, support automation, and operational digests — all running autonomously on EventBridge schedules and event triggers.

All 5 Layers LIVE

Payment Security

We never see, store, or process your payment information. All payment handling is done by Stripe.

Stripe Handles Everything

Card numbers, bank details, and billing information go directly to Stripe — a PCI Level 1 certified payment processor. Our servers never touch your payment data.

Secrets Management

API keys, database credentials, and Stripe keys are stored in AWS Secrets Manager — encrypted, access-controlled, and rotatable. Never hardcoded, never in environment variables.

Webhook Verification

Every Stripe webhook is cryptographically verified using signing secrets before processing. Forged or tampered webhook events are rejected immediately.

Our Privacy Promise

  • We do not use cookies — not for tracking, not for analytics, not for anything.
  • We do not use third-party trackers, pixels, or advertising scripts.
  • The only data stored on your device is in localStorage — your preferred language, your theme choice (light/dark), and an anonymous visitor ID for analytics. No cookies.
  • Our analytics are anonymous — no names, no emails, no IP addresses stored.
  • We do not sell, share, or rent your data to anyone. Ever.
  • Payment data goes directly to Stripe. We never see your card number.