This document outlines some of the key data security aspects of the Turtl platform.

Data at rest

Data is stored in secure, redundant, highly available databases on the Amazon Web Services platform and is encrypted using AES256.

Data in transit

All core application components reside within a single Amazon Web Services VPC, eliminating the possibility of packet sniffing through the use of Amazon’s internal network controls.

All data transferred between the client and server over the the public internet is encrypted with 256-bit SSL / TLS v1.2 and above. In addition, core components are only addressable from within our private network.


Turtl is a multi-tenant system with each customer’s information stored in separate databases. Controls are in place within the application to prevent any cross-contamination or leakage of data.

Physical media decommissioning

All data is stored by Amazon and the Amazon Web Services decommissioning process applies. More information is available here.

Data backup

Data is distributed across our database cluster to provide redundancy and availability. Customer data is backed up to a secure Amazon Web Services S3 bucket of the customer’s choosing at a pre-agreed frequency. System level backups are retained as follows:

  • Bihourly backups for one day
  • Daily backups for one week
  • Weekly backups for one month
  • Monthly backups for one year
  • Yearly backups for three years

Removable media, desktops and laptops

No customer data is ever stored on removable media, desktops or laptops. All employee workstations and removable media devices are encrypted.