# Data Protection ### Device and User Identity When users install the client locally, StrongDM generates and records a forgery-resistant fingerprint of the device. Each client and proxy instance have unique cryptographic identities, as distributed via the StrongDM API. Any attempt to access the session from another device will terminate all connections and force re-authentication. ### Protection of Data in Transit #### Encrypted connections to the Admin UI The Admin UI supports TLS 1.2 and TLS 1.3 connections. All traffic to `app.strongdm.com` that is not secured by a supported protocol is rejected. Typically this is only a possibility when a very old, [unsupported browser version](https://docs.strongdm.com/admin/) is being used. #### Encrypted connections between clients and nodes Once a user authenticates and initiates a valid session using the client, a mutually verified TLS 1.2 connection is established between the client and one or several gateways to ensure the confidentiality and integrity of the connection. In addition, the gateway or relay that is interacting directly with the resource uses the resource's native encryption method, such as TLS/SSL. All traffic between the client and the destination is multiplexed via the encrypted connection regardless of the encryption status or capabilities of the underlying protocol. #### API security All StrongDM API traffic conforms to modern practices for preventing request interception, modification, or replay. Each call is signed using device and session keys unique to the caller’s installation and most recent authentication. ### Protection of Data at Rest StrongDM operates primarily in Amazon Web Services (AWS), and we use a number of AWS native encryption methods for protecting data at rest within the configured services. ### Access to Customer Data We use strict role-based access controls to ensure that only a limited and authorized number of people have the ability to access customer data. Strict environmental segmentation and StrongDM's Data Protection Policies prohibit customer data from ever being used in development, testing, or QA environments. ### Minimization of Collected Data The customer data collected by StrongDM represents the amount of data necessary to develop, support, and improve the software. #### Collection of Personally Identifiable Information StrongDM only collects Personally Identifiable Information that is strictly necessary to deliver Platform capabilities to our Customers. | Data Element | Usage | | ---------------------- | ------------------- | | First and Last Name | User Identification | | Business Email Address | User Identification | | IP Address | Audit Logging | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/concepts/security/data-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.