Updated: August 2025
CLOUD SECURITY AND RESILIENCE
Mobile and web application core business logic and data processing are hosted in Amazon Web Services (AWS) GovCloud. All applications connect to the Adyton “backend” environment via the internet.
Adyton’s infrastructure design has affordances for High Availability (the backend runs in multiple zones for assured availability). Our design also assures disaster recovery. A failure in one AWS US GovCloud region will be addressed by recovering Adyton’s backend resources to the opposite AWS US GovCloud region.
ENCRYPTION
Adyton’s mobile applications are designed to meet the most sensitive workloads including IL5+ and Classified use cases, and in compliance with DoD NIST controls, including but not limited to the following policies: DoD FedRAMP+ MMX (Control Overlay), DoD CC SRG, NIST 800-63r3, NIST 800-124.
All applications built on our platform encrypt locally cached data at rest.
Application backend data is stored in the AWS Cloud AWS GovCloud (US). Backend data is stored encrypted at rest using cryptographic key material generated and stored in AWS KMS, which uses The Amazon AWS Key Management Service HSM, NIST certificate #4177.
Approved algorithms included on NIST Certificates:
Android & Web: Using the BoringCrypto library, NIST certificate #3678
○ iOS: Using the CommonCrypto library, NIST certificate #3438
All data in transit within the platform and for remote sessions is encrypted using TLS 1.3 BoringCrypto, NIST certificate #3678.
ROLES
Our Mobile applications have different user roles for basic and advanced administration privileges:
Organization Leader: may create and delete teams, may view all teams members, messages, may add/move/delete members. Can edit all users’ profile data.
Team Leader: may create teams, may view only teams in which they are a leader or member, may add/move/delete members of their teams. Can only edit Name and Rank of team members’ profile.
Regular app user: may view and respond to messages inside the mobile application.
SMS user: receives text messages containing a secure link to view messages inside a mobile browser only.
PRIVILEGED SYSTEM ADMINISTRATORS (ADYTON ENGINEERING TEAM)
Privileged system administrator authentication is done via two factor authentication on all devices interacting with the mobile app backend. This is done via multiple factor, cryptographic based authentication.
Privileged system administrators passwords are rolled on a 90 or less day basis.
Privileged system administrators sessions time out at 12 hours or less depending on in-app activity.
Google GSuite SAML SSO and YubiKey are used in FIDO/U2F mode to enforce cryptographic authentication.
SIGN ON SUPPORT
Web applications support integration with the Customer’s existing identity management solution. Adyton’s SSO also enables capabilities such as CAC, PIV card, and WebAuthn/FIDO2 authentication such as with the YubiKey.
Adyton’s SSO supports the following standards based identity protocols:OAuth 2.0, OpenID Connect, SAML 2.0.
NON-PRIVILEGED APP USERS
All users need to have a verified work email address in order to have access to the mobile application
Federal government email authentication tokens are protected by biometrics and in a secure enclave.
A non-privileged user will receive a magic link to connect their copy of the mobile application to their assigned organization.
The web portion of the application uses the widely used JSON Web Token technology to cryptographically authenticate a user’s mobile app to their assigned organization.
AUTHENTICATION TOKEN AND SENSITIVE PROPERTIES STORAGE
In either case, Google Android or Apple IOS devices, the mobile applications use the operating system’s functionality, either Trusted Execution Environment or Secure Storage to: Generate, Store, and use encryption keys. The storage of authentication tokens and sensitive properties are protected by the native TEE or Secure
Enclave functionality.
REMOTE WIPE
The product application suite enables users designated with Organization Leader, Organization Manager or Team Leader permissions to remotely wipe Enterprise data from a User’s device as a means to safeguard access.
APPLE DEVICE SECURITY
Secure Enclave: Our mobile applications protect their private keys with the Secure Enclave, never touching the sensitive plain-text key, making it difficult for the key to become compromised.
Key generation and storage: Apple IOS devices with an A7 or later processor include a "Secure Enclave" component, a hardware-based key generation and storage device that’s isolated from the main processor to provide an extra layer of security to prevent compromise of keys.
Storage Security: Apple IOS and Ipad OS devices utilize Apple Data Protection technology to protect data stored on Apple mobile devices.
Hardware versions: A14, A15, and M1 family devices, data encryption uses AES-256 in XTS mode, where the 256-bit per-file-key goes through a Key Derivation Function (NIST Special Publication 800-108) to derive a 256-bit tweak and a 256-bit cipher key. Hardware versions A9 through A13, S5, S6, and S7 use AES-128 in XTS mode, where the 256-bit per file key is split to provide a 128-bit tweak and a 128-bit cipher key.
ANDROID DEVICE SECURITY
Trusted Execution Environment: Android Hardware provides A Trusted Execution Environment (TEE), provided by the Trustzone feature on ARM based devices. The TEE virtualizes the main processor and creates a secure trusted execution environment. This enables separation between sensitive code and untrusted code.
Key Generation and Storage: Android’s “Keymaster” integrates the keystore into the device's “Trusted Execution Environment” TEE, which guards cryptographic key storage from exposure and tampering. An attacker cannot read
key material stored in the Keymaster even if the kernel is fully compromised.
Storage Encryption: Encryption must be used to protect user data if a device is lost or stolen. Android supports two methods for device encryption: file-based encryption (FBE) and legacy full-disk encryption.
To learn more about our suite of products, please visit www.adyton.io.
Adyton is committed to security, not only with Federal-level encryption but in our promise to our users' privacy. Your data is not for sale. Ever.