Security Architecture

Architecture Overview

StatelessEncryptedZero Retention

zkOrigoPlus operates on a stateless, zero-data-retention architecture. All API requests are processed in-memory and no transaction data, wallet addresses, or compliance results are persisted beyond the request lifecycle.

Core Security Features

• TLS 1.2+: All API endpoints enforce HTTPS with TLS 1.2 or higher
• KMS Encryption: Sensitive configuration encrypted at rest using AWS KMS
• Secrets Manager: All API keys, credentials, and secrets stored in AWS Secrets Manager (no environment variables)
• WAF Protection: AWS WAF with rate limiting (500 req/5min per IP) and AWS Managed Rules
• CloudFront CDN: DDoS protection and edge caching with signed requests

API Key Security

Key Format

API keys follow the format: zk_live_[48-character-random-string]

Storage Policy

• Keys are hashed using SHA-256 before storage in DynamoDB
• Original keys are never logged or persisted
• Keys are transmitted via x-api-key header only
• No query parameter authentication supported

Key Rotation

API keys do not expire automatically. Users can rotate keys via the customer dashboard or by contacting support at admin@autodigitalcoin.com.

Rate Limiting

Sandbox Environment

• Rate: 30 requests/second per IP
• Authentication: None required
• Endpoint: /sandbox/*

Production Tiers

• Starter: 10 req/sec, 2,500 calls/month
• Professional: 25 req/sec, 10,000 calls/month
• Enterprise: 50 req/sec, 50,000 calls/month

Rate limits enforced at API Gateway level with 429 Too Many Requests response on breach.

Data Retention Policy

Zero Retention: zkOrigoPlus does not store:

• Wallet addresses submitted for validation
• Transaction data or blockchain queries
• AML/sanctions check results
• ISO20022 message content
• RWA attestation details

Telemetry Only: Aggregated, anonymized API usage metrics (call count, latency, error rates) are stored for service monitoring. No PII or transaction-specific data is retained.

Compliance References

• ISO20022: Message validation against pain.001 and camt.053 schemas
• AML/Sanctions: OFAC SDN list integration (updated daily)
• Blockchain Validators: Real-time on-chain validation for BTC, ETH, XLM, XRPL, HBAR, Polygon
• Research Foundation: SSRN Abstract 5634150

Incident Response

Reporting Security Issues

Report security vulnerabilities to: admin@autodigitalcoin.com

Expected response time: 24-48 hours

Service Status

Real-time operational status: status.zkorigoapi.com