Altium 365 Security Architecture

Security-Driven Development

Development of the Altium 365 platform, its features, and the functionality it delivers is carried out with user security in mind. We verify that security any time we add new features. This includes extensive security architecture reviews, dependency scanning, code reviews, and dynamic application security testing to ensure any security vulnerabilities are identified and avoided from the outset. We also use independent third-party testing to make sure there are no holes in Altium 365’s security.

Reliable Data Protection

Amazon Web Services (AWS) forms the backbone of physical security and reliability for Altium 365. We store customer data across AWS resources exclusively and use Relational Database Service (RDS) specifically for our database needs. For standard binary data storage, we use AWS S3, while FSx is employed for scenarios requiring high-performance binary storage. Dedicated Elasticsearch clusters are used to provide high-performance search capabilities.

Data at rest within Altium 365 is encrypted using AWS Key Management Service (KMS) keys. These keys use hardware security modules validated under FIPS 140-2 standards, a U.S. government computer security standard used to approve cryptographic modules. The usage of these encryption keys is logged and monitored. The logs are then sent to our Security Information and Event Management (SIEM) system, allowing us to track when the encryption keys are used

Access to Altium 365 infrastructure that hosts customer data is limited to authorized personnel based on the principle of least privilege. All access is logged, auditable, and continuously monitored by Altium’s dedicated security team.

Secure Communication

We only permit communication between Altium 365 clients (such as a web browser, Altium Designer, or a mobile application) and the Altium 365 cloud platform through secure, trusted connections using the HTTPS protocol, a standard approach to secure World Wide Web communications, over standard ports.

Authentication and Identity Management

Altium 365 requires users to authenticate before they can make requests to services that handle sensitive customer data.  The system controls authentication through an identity service that requires a username and password and creates time-limited sessions as part of the authentication process. Sensitive login information such as passwords is encrypted during transmission and at rest.

In addition to native authentication, Altium 365 supports Single Sign-on using the SAML 2.0 protocol. This allows customers to enhance identity management with modern identity providers (IdPs) (OneLogin, Okta, Microsoft Azure AD, Google Identity, etc.). Besides authentication, extended support of SCIM protocol allows the organization of centralized user and group provisioning/de-provisioning. Depending on the IdP, you can opt for enhanced protection with multi-factor authentication (MFA).

Distribution and Control

All regions are protected from the wider internet by being hidden behind a web application firewall (WAF) and an application load balancer (ALB), a standard AWS off-the-shelf resource component. This serves two primary purposes: first, to distribute incoming “client” (web browser or Altium Designer) requests across the collection of Elastic Compute Cloud (EC2) instances to distribute the load evenly; second, to act as a firewall between the wider internet and what is effectively a tightly controlled internal network. Requests to service endpoints must come through the load balancer. Connectivity for tasks such as server administration is restricted to internal staff and resources on the internal Altium Corporate network.

EC2 Virtual Servers

The Altium 365 cloud platform is hosted on the Amazon Web Services (AWS) infrastructure. It leverages redundant compute resources with multi-availability zone storage services spread across four independent regions. Each region consists of a collection of virtual servers, Elastic Compute Cloud (EC2) instances, which host the Altium 365 application services. These servers do not store customer-specific data. They store only application code and the associated metadata required to perform some actions on customer data (such as creating a new project or component).

Single-Tenancy and Multi-Tenancy Architecture

Altium 365 operates on a multi‑tenancy architecture in which each tenant—currently aligned with the concept of a workspace—receives its own isolated database schema. This model provides strong data separation while leveraging shared cloud infrastructure for efficiency and scale. For organizations requiring deeper isolation, customization, and operational control, Altium offers a Single Tenant Environment (STE): a dedicated instance of the application and its supporting infrastructure. STE delivers high data isolation, predictable performance, and tenant‑specific configuration options, combining the convenience of a hosted service with the control traditionally associated with on‑premises deployments.

Vulnerability Scanning

Production deployments for Altium 365 are subject to vulnerability scanning as part of the release process. Findings are tracked through remediation or documented risk acceptance in accordance with Altium’s Vulnerability Management policy and defined remediation timelines.

Third-party Testing

We annually collaborate with external third parties for penetration testing to ensure we maintain the highest level of security against ever-evolving threats. The development team reviews all feedback from penetration testing and implements necessary updates to our application services and infrastructure. We’re open to sharing the latest executive summary of our penetration test report with interested parties, provided a Mutual Non-Disclosure Agreement (MNDA) is in place.