Security By Design — phosphorOS

The Approach

What "security by design" actually means

Most software adds security controls after the product is built. phosphorOS starts with security decisions and builds the product around them.

Encrypted before it's stored

Sensitive data — API keys, payment credentials, tax IDs, banking information — is encrypted inside the application before it ever reaches the database. The database only sees scrambled text. Even if someone gained direct database access, they'd find nothing readable.

No servers to hack

phosphorOS runs on AWS Lambda — serverless functions that exist only for the fraction of a second needed to process a request. There are no servers with SSH access, no persistent machines to compromise, no shells to exploit. The attack surface that enabled the MGM and Caesars breaches simply doesn't exist here.

No passwords to steal

phosphorOS uses Sign In with Apple for authentication. There are no passwords stored anywhere in the system, no password reset flows, and no help desk that can be social-engineered into granting access — the exact vector used in both the MGM and Caesars attacks.

Keys locked in a vault

The encryption key that protects your data is stored in AWS Key Management Service — a tamper-proof hardware security module. Even our own engineers can't access it. The key is loaded into memory only for the instant needed to read or write a record, then it's gone.

For the CSO

The technical details that matter

Built to satisfy security teams, pass vendor evaluations, and hold up under audit.

AES-256-GCM field-level encryption

Individual fields are encrypted with AES-256-GCM — the same standard the U.S. government uses for classified information. Each encryption includes a 128-bit authentication tag for tamper detection. If a single bit is modified, decryption fails immediately. Backed by Apple's FIPS 140-2 validated cryptographic libraries.

Blind index search

Encrypted fields can still be searched using HMAC-SHA256 blind indexes — one-way mathematical fingerprints stored alongside the encrypted value. You can look up a guest by email or phone without ever exposing the plaintext to the database. The fingerprint is impossible to reverse.

Zero-downtime key rotation

Encryption keys can be rotated without any service interruption. The system reads data encrypted with both the current and previous key simultaneously. Documents are automatically re-encrypted with the new key on their next save. No batch migration jobs, no downtime windows.

Data normalization at the field level

Phone numbers, emails, and other searchable fields are automatically normalized to canonical formats before encryption. A phone entered as "(702) 465-0707" is stored as "+17024650707" — ensuring blind index lookups always match, regardless of how the data was originally entered.

Per-venue data isolation

Every venue gets its own database. There is no shared data layer, no cross-tenant queries, no multi-tenant collection mixing. A breach in one venue's data cannot cascade to another. Each venue's data is a separate, isolated world.

Zero standing access

There are no admin accounts, no SSH keys, no database user accounts for developers. The database sits in a private network with no public endpoint — no MongoDB Compass, no admin tools can reach it. Production data access requires authenticated Cognito sessions with role-based permissions.

Compliance

Built for regulated environments

phosphorOS operates in casino-adjacent environments where security isn't optional — it's a condition of doing business.

Nevada Gaming Control Board

Systems on casino premises must meet NGCB Technical Standards. phosphorOS satisfies requirements for encrypted communications (TLS 1.2+), access controls (per-venue RBAC), audit trails (CloudTrail + API access logs), and data integrity (authenticated encryption with tamper detection).

PCI DSS

phosphorOS never stores, processes, or transmits credit card data. Payments are fully delegated to Stripe, a PCI DSS Level 1 certified processor. Stripe API keys and webhook secrets are AES-256 encrypted at rest. The platform qualifies for SAQ-A attestation.

CCPA & Nevada SB 220

Guest and staff personal information is protected with field-level encryption that exceeds the "reasonable security procedures" standard required by California and Nevada privacy law. The data classification matrix tracks every PII field and its encryption status across every module.

SOC 2 Type II ready

The architecture satisfies the technical requirements across all five SOC 2 Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. From AES-256 encryption to multi-AZ database replication to immutable audit logs — the controls are already in place.

Audit & Transparency

Every access is logged. Every action is traced.

When auditors or regulators ask "who accessed what, when, and why" — phosphorOS has the answer.

Complete API audit trail

Every API request is logged with the authenticated user, endpoint, timestamp, and response code. CloudTrail records every AWS resource access. KMS logs every time the encryption key is used. These logs are immutable and retained for a minimum of one year.

What's never logged

Plaintext values of encrypted fields never appear in logs, error reports, or database backups. Encryption keys never leave hardware security modules or Lambda process memory. There are no passwords to log because none exist. The system is designed so sensitive data can't leak through operational channels.

Anomaly detection

Security alarms trigger on unusual patterns: encryption key access from an unexpected identity, API error rate spikes, Secrets Manager access from unfamiliar IP addresses, or brute-force sign-in attempts. Your security team gets alerted before an incident becomes a breach.

Simplified compliance audits

The data classification matrix documents every field, its sensitivity level, and its encryption status across every module. During vendor evaluations or compliance audits, this matrix — combined with the immutable audit trail — provides the evidence auditors need without weeks of document gathering.

What's Protected Today

Encrypted from day one — expanding every quarter

phosphorOS follows a phased encryption roadmap. Critical credentials and secrets were encrypted before the first line of business logic was written. PII and financial data follow on a published quarterly schedule.

Credentials & secrets (complete)

Stripe API keys, webhook signing secrets, email provider keys, third-party integration credentials, vendor tax IDs, API key hashes, and webhook secrets are all AES-256-GCM encrypted today. These are the keys to your kingdom — and they were the first things we locked down.

Banking & payroll data (complete)

Staff Social Security numbers (last four), bank routing numbers, and bank account numbers are encrypted with no searchable index — maximum protection for the most sensitive employee data. These fields cannot be queried, exported, or viewed without decryption.

Guest & staff PII (Q2 2026)

Guest phone numbers, email addresses, and Instagram handles. Staff phone, email, emergency contacts, addresses, and dates of birth. All with blind indexes where search is needed, so your team can still look up a guest by phone without exposing plaintext to the database.

Financial & business data (Q3–Q4 2026)

Pay stubs, contractor payments, commission amounts, contract values, venue rental pricing, and brand promotion budgets. The same one-line field change that encrypted credentials extends to any field in any module — no API changes, no handler rewrites, no downtime.

Learn More

Detailed security documentation available on request.

We publish a comprehensive security architecture document covering encryption specifications, key management procedures, network architecture, incident response plans, and full compliance mapping for NGCB, PCI DSS, CCPA, and SOC 2. Available under NDA for venue operators and their security teams.