End-of-day point-of-sale (POS) data is downloaded from wholesale/retail partner systems and saved onpremises. Baffle DPS data ingestion layer uses the encryption key held on-premises with Format-Preserving Encryption (FPE) mechanism to tokenize, anonymize, and map data flow for both structured and unstructured data, when additional protection is needed, before the data is sent to AWS. Customer’s choice of dedicated connection (AWS Direct Connect) or AWS Site-to-Site VPN for security of the data while it’s in transit. Encrypted data arrives to AWS and is stored without the encryption key, in either structured or unstructured format. Encrypted data can be queried in AWS with various services but the data will remain encrypted. Baffle DPS data consumption layer uses the decryption key held onpremises to decrypt, de-tokenize, and map data flow back to its clear-text form before it is used by the onpremises applications or users. Clear-text data is used for business intelligence or by downstream applications.
