Security & Privacy

How we protect your data, your subscriptions, and our infrastructure.

Defense in Depth

Every request to The Trinity Beast passes through multiple layers of security before it reaches our servers. Each layer is designed to stop a different type of threat.

%%{init: {'theme': 'base', 'flowchart': {'padding': 24, 'nodeSpacing': 35, 'rankSpacing': 45, 'useMaxWidth': true}, 'themeVariables': {'primaryColor': '#2a2f3d', 'primaryTextColor': '#e2e8f0', 'primaryBorderColor': '#d4a843', 'lineColor': '#60a5fa', 'secondaryColor': '#1a1f2e', 'tertiaryColor': '#0f172a', 'background': 'transparent', 'mainBkg': '#2a2f3d', 'nodeBorder': '#d4a843', 'fontFamily': 'inherit', 'fontSize': '11px'}}}%% flowchart TD USER["Visitor / API Client"] -->|HTTPS| CF USER ==>|UDP Direct| NLB USER -->|Checkout| STRIPE subgraph EDGE["Edge Protection"] CF["CloudFront CDN"] --> SHIELD["AWS Shield"] SHIELD --> WAF_CF["Website WAF"] end WAF_CF -->|Website| S3["S3 Static Site"] WAF_CF -->|API| ALB WAF_CF -.->|Blocked| BLOCK1["Rejected"] subgraph NETWORK["Network Layer"] ALB["ALB + TLS"] --> WAF_ALB["API WAF"] NLB["NLB + UDP"] end WAF_ALB -->|Allowed| ECS WAF_ALB -.->|Blocked| BLOCK2["Rejected"] NLB ==>|UDP Direct| ECS subgraph VPC["Private VPC"] ECS["ECS Fargate\n3 Nodes"] <-->|TLS| CACHE["Valkey Cache\n52 GB"] ECS <-->|TLS| DB["Aurora PostgreSQL"] end subgraph PAYMENTS["Payment Security"] STRIPE["Stripe\nPCI Level 1"] -->|Webhook| LAMBDA["Lambda\nSignature Verified"] SECRETS["Secrets Manager\nEncrypted Keys"] end LAMBDA --> DB subgraph MONITOR["Continuous Monitoring"] GD["GuardDuty"] CW["CloudWatch"] CT["CloudTrail"] VFL["VPC Flow Logs"] end ECS -.-> CW ALB -.-> CW WAF_ALB -.-> CW ECS -.-> GD CT -.-> GD VFL -.-> GD linkStyle 1 stroke:#f97316,stroke-width:3px linkStyle 11 stroke:#f97316,stroke-width:3px classDef edge fill:#1e3a5f,stroke:#60a5fa,color:#e2e8f0 classDef network fill:#1a2744,stroke:#d4a843,color:#e2e8f0 classDef vpc fill:#0f172a,stroke:#10b981,color:#e2e8f0 classDef monitor fill:#1a1f2e,stroke:#a78bfa,color:#e2e8f0 classDef blocked fill:#7f1d1d,stroke:#ef4444,color:#fca5a5 classDef user fill:#2a2f3d,stroke:#d4a843,color:#e2e8f0 classDef payment fill:#1a2e1a,stroke:#d4a843,color:#e2e8f0 class CF,SHIELD,WAF_CF edge class ALB,WAF_ALB,NLB network class ECS,CACHE,DB,S3 vpc class GD,CW,CT,VFL monitor class BLOCK1,BLOCK2 blocked class USER user class STRIPE,LAMBDA,SECRETS payment

Diagram 1.1: Security Defense Flow — Every request passes through multiple protection layers

Legend

Edge Protection — CloudFront, Shield, Website WAF
Network Layer — ALB, API WAF, NLB (UDP)
Private VPC — ECS, Valkey Cache, Aurora DB
Monitoring — GuardDuty, CloudWatch, CloudTrail, Flow Logs
Payment Security — Stripe (PCI L1), Lambda webhook, Secrets Manager
Blocked — Rejected by WAF or rate limits
Solid line — Request flow (HTTPS / UDP)
UDP Flame Path — Bypasses CDN, WAF, and ALB for lowest latency
Dashed line — Monitoring / logging flow
Allowed — Passed all security checks
The UDP Flame PathThe gold path on the diagram shows the UDP direct route. It bypasses CloudFront, Shield, both WAFs, and the ALB — going directly from the Network Load Balancer to the container. This eliminates 5 network hops and delivers sub-millisecond response times for latency-critical applications like trading bots and real-time dashboards. TCP requests pass through every security layer. UDP trades that inspection for raw speed — the application still validates API keys and enforces rate limits at the container level.

DDoS Protection

AWS Shield Standard automatically absorbs volumetric attacks at the network edge. CloudFront distributes traffic across 400+ global edge locations, making it extremely difficult to overwhelm our infrastructure.

Automatic

Web Application Firewall

Two WAF layers inspect every request. Known malicious IPs are blocked on sight. SQL injection, cross-site scripting, and code injection attempts are detected and rejected before reaching our servers.

Real-Time

Rate Limiting

Multiple layers of rate limiting protect against abuse. The WAF blocks IPs exceeding 2,000 requests per 5 minutes. The application enforces per-tier QPS limits. Admin endpoints have a separate, stricter threshold.

Multi-Layer

Encryption Everywhere

All data is encrypted in transit (TLS 1.2+) and at rest. API traffic, database connections, cache communication, and website delivery — every path is encrypted. No exceptions.

TLS 1.2+

Threat Detection

AWS GuardDuty continuously analyzes network traffic, API calls, and DNS queries for signs of compromise — credential theft, cryptocurrency mining, unusual access patterns. Findings trigger immediate alerts.

Continuous

Audit Trail

Every API call to our AWS infrastructure is logged by CloudTrail. VPC Flow Logs record all network traffic. Nothing happens without a record. Full accountability, full transparency.

Every Action Logged

Payment Security

We never see, store, or process your payment information. All payment handling is done by Stripe.

Stripe Handles Everything

Card numbers, bank details, and billing information go directly to Stripe — a PCI Level 1 certified payment processor. Our servers never touch your payment data.

Secrets Management

API keys, database credentials, and Stripe keys are stored in AWS Secrets Manager — encrypted, access-controlled, and rotatable. Never hardcoded, never in environment variables.

Webhook Verification

Every Stripe webhook is cryptographically verified using signing secrets before processing. Forged or tampered webhook events are rejected immediately.

Our Privacy Promise

  • We do not use cookies — not for tracking, not for analytics, not for anything.
  • We do not use third-party trackers, pixels, or advertising scripts.
  • The only data stored on your device is your preferred language setting — one key in localStorage.
  • Our analytics are anonymous — no names, no emails, no IP addresses stored.
  • We do not sell, share, or rent your data to anyone. Ever.
  • Payment data goes directly to Stripe. We never see your card number.