Data encryption in Adobe Experience Platform

Adobe Experience Platform is a powerful and extensible system that centralizes and standardizes customer experience data across enterprise solutions. All data used by Platform is encrypted in transit and at rest to keep your data secure. This document describes Platform’s encryption processes at a high level.

The following process flow diagram illustrates how Experience Platform ingests, encrypts, and persists data:

A diagram that illustrates how data is ingested, encrypted, and persisted by Experience Platform.

Data in transit in-transit

All data in transit between Platform and any external component is conducted over secure, encrypted connections using HTTPS TLS v1.2.

In general, data is brought into Platform in three ways:

  • Data collection capabilities allow websites and mobile applications to send data to the Platform Edge Network for staging and preparation for ingestion.
  • Source connectors stream data directly to Platform from Adobe Experience Cloud applications and other enterprise data sources.
  • Non-Adobe ETL (extract, transform, load) tools send data to the batch ingestion API for consumption.

After data has been brought into the system and encrypted at rest, Platform services enrich and export the data in the following ways:

mTLS protocol support mtls-protocol-support

You can now use Mutual Transport Layer Security (mTLS) to ensure enhanced security in outbound connections to the HTTP API destination and Adobe Journey Optimizer custom actions. mTLS is an end-to-end security method for mutual authentication that ensures that both parties sharing information are who they claim to be before data is shared. mTLS includes an additional step compared to TLS, in which the server also asks for the client’s certificate and verifies it at their end.

If you want to use mTLS with Adobe Journey Optimizer custom actions and Experience Platform HTTP API destination workflows, the server address you put into the Adobe Journey Optimizer customer action UI or the Destinations UI must have TLS protocols disabled and only mTLS enabled. If the TLS 1.2 protocol is still enabled on that endpoint, no certificate is sent for the client authentication. This means that to use mTLS with these workflows, your “receiving” server endpoint must be an mTLS only enabled connection endpoint.

IMPORTANT
No additional configuration is required in your Adobe Journey Optimizer custom action or HTTP API destination to activate mTLS; this process occurs automatically when an mTLS-enabled endpoint is detected. The Common Name (CN) and Subject Alternative Names (SAN) for each certificate are available in the documentation as part of the certificate and can be used as an additional layer of ownership validation if you wish to do so.
RFC 2818, published in May 2000, deprecates the use of the Common Name (CN) field in HTTPS certificates for subject name verification. Instead, it recommends using the “Subject Alternative Name” extension (SAN) of the “dns name” type.

Download certificates download-certificates

NOTE
It is your responsibility to keep the public certificate up-to-date. Please ensure that you regularly review the certificate, particularly as its expiration date approaches. You should bookmark this page in order to maintain the latest copy in your environment.

If you want to check the CN or SAN to do additional third-party validation, can can download the relevant certificates here:

You can also securely retrieve public certificates by making a GET request to the MTLS endpoint. See the public certificate endpoint documentation for more information.

Data at rest at-rest

Data that is ingested and used by Platform is stored in the data lake, a highly granular data store containing all data managed by the system, regardless of origin or file format. All data persisted in the data lake is encrypted, stored, and managed in an isolated Microsoft Azure Data Lake Storage instance that is unique to your organization.

For details on how data at rest is encrypted in Azure Data Lake Storage, see the official Azure documentation.

Next steps

This document provided a high-level overview of how data is encrypted in Platform. For more information on security procedures in Platform, see the overview on governance, privacy, and security on Experience League, or take a look at the Platform security whitepaper.

recommendation-more-help
5741548a-2e07-44b3-9157-9c181502d0c5