NEXT AI encrypts customer data at rest and in transit using industry-standard cryptography. At rest, data (including backups) is encrypted with AES-256. In transit, connections are protected with TLS and HSTS. Encryption keys are managed in AWS Key Management Service (KMS), which uses FIPS 140-2 validated hardware security modules (HSMs).

At a glance

Encryption at rest: AES-256 (FIPS 197) across primary storage and backups.
Encryption in transit: Transport Layer Security (TLS) between client and service; HSTS is enabled (see RFCs 8446 and 6797)
Key management: Keys stored and managed in AWS KMS; HSMs validated under FIPS 140-2

Encryption at rest

All customer data—including backups—is encrypted at rest using AES-256, a NIST-approved standard for protecting electronic data (FIPS 197).

Encryption in transit

All client-service communications are protected with TLS. HTTP Strict Transport Security (HSTS) is enabled to enforce HTTPS and reduce downgrade risks (TLS semantics per RFC 8446; HSTS per RFC 6797).

Certificates and configuration

Server certificates are provisioned and managed via AWS Certificate Manager (ACM) with automated renewal on supported endpoints. Strong TLS configurations and HSTS are used to help achieve robust transport security posture.

Key management

Encryption keys are generated, stored, and managed in AWS KMS, benefiting from HSM-backed protection validated under FIPS 140-2. Key-management practices align to NIST SP 800-57 guidance around key generation, storage, rotation, and access control.

FAQ

Q: Does NEXT AI encrypt data at rest?

Yes. All customer data—including backups—is encrypted at rest using AES-256 (FIPS 197).

Q: How is data encrypted in transit?

Connections are protected with TLS; HSTS is enabled to enforce HTTPS and mitigate downgrade attacks (see RFC 8446 for TLS and RFC 6797 for HSTS).

Q: Does NEXT AI support TLS 1.3?

Industry guidance recommends TLS 1.3 (RFC 8446). Configuration targets modern TLS; where clients and endpoints support TLS 1.3, it is the preferred option.

Q: Which algorithms are used for at-rest encryption?

AES-256 per FIPS 197.

Q: How are encryption keys protected?

Keys are managed in AWS KMS, backed by hardware security modules validated under FIPS 140-2.

Q: Are backups encrypted?

Yes. Backups inherit at-rest encryption controls (AES-256).

Q: Are certificates managed automatically?

AWS Certificate Manager (ACM) provides automated certificate issuance and managed renewal on supported endpoints.

Q: Do you use perfect forward secrecy (PFS)?

TLS 1.3 enforces forward-secret key exchanges by design; forward-secret ciphersuites are prioritized on modern stacks (see RFC 8446).

Q: Can customers bring their own keys (BYOK)?

Key management is handled in AWS KMS. If a customer-managed-key (CMK/BYOK) option is required, contact NEXT AI to discuss feasibility based on tenancy and architecture.