Data encryption in Adobe Experience Platform
Adobe Experience Platform is a powerful and extensible system that centralizes and standardizes customer experience data across enterprise solutions. All data used by Platform is encrypted in transit and at rest to keep your data secure. This document describes Platform’s encryption processes at a high level.
The following process flow diagram illustrates how Experience Platform ingests, encrypts, and persists data:
Data in transit in-transit
All data in transit between Platform and any external component is conducted over secure, encrypted connections using HTTPS TLS v1.2.
In general, data is brought into Platform in three ways:
- Data collection capabilities allow websites and mobile applications to send data to the Platform Edge Network for staging and preparation for ingestion.
- Source connectors stream data directly to Platform from Adobe Experience Cloud applications and other enterprise data sources.
- Non-Adobe ETL (extract, transform, load) tools send data to the batch ingestion API for consumption.
After data has been brought into the system and encrypted at rest, Platform services enrich and export the data in the following ways:
- Destinations allow you to activate data to Adobe applications and partner applications.
- Native Platform applications such as Customer Journey Analytics and Adobe Journey Optimizer can also make use of the data.
mTLS protocol support mtls-protocol-support
You can now use Mutual Transport Layer Security (mTLS) to ensure enhanced security in outbound connections to the HTTP API destination and Adobe Journey Optimizer custom actions. mTLS is an end-to-end security method for mutual authentication that ensures that both parties sharing information are who they claim to be before data is shared. mTLS includes an additional step compared to TLS, in which the server also asks for the client’s certificate and verifies it at their end.
If you want to use mTLS with Adobe Journey Optimizer custom actions and Experience Platform HTTP API destination workflows, the server address you put into the Adobe Journey Optimizer customer action UI or the Destinations UI must have TLS protocols disabled and only mTLS enabled. If the TLS 1.2 protocol is still enabled on that endpoint, no certificate is sent for the client authentication. This means that to use mTLS with these workflows, your “receiving” server endpoint must be an mTLS only enabled connection endpoint.
Download certificates download-certificates
If you want to check the CN or SAN to do additional third-party validation, can can download the relevant certificates here:
You can also securely retrieve public certificates by making a GET request to the MTLS endpoint. See the public certificate endpoint documentation for more information.
Data at rest at-rest
Data that is ingested and used by Platform is stored in the data lake, a highly granular data store containing all data managed by the system, regardless of origin or file format. All data persisted in the data lake is encrypted, stored, and managed in an isolated Microsoft Azure Data Lake Storage instance that is unique to your organization.
For details on how data at rest is encrypted in Azure Data Lake Storage, see the official Azure documentation.
Next steps
This document provided a high-level overview of how data is encrypted in Platform. For more information on security procedures in Platform, see the overview on governance, privacy, and security on Experience League, or take a look at the Platform security whitepaper.