Altium 365 Security Architecture

Security-Driven Development

We’ve developed the Altium 365 platform, its features, and functionalities with user security in mind. At every stage of development, we rigorously verify the security measures in place. This includes extensive architectural reviews, dependency scanning, code reviews, and dynamic application security testing. Our objective is to proactively identify, address, and prevent any potential security vulnerabilities right from the start. Additionally, we employ independent third-party testing to ensure that our security framework is robust.

Reliable Data Protection

Amazon Web Services (AWS) forms the backbone of physical security and reliability for Altium 365. We store customer data across AWS resources exclusively and use Relational Database Service (RDS) specifically for our database needs. For standard binary data storage, we use AWS S3, while FSx is employed for scenarios requiring high-performance binary storage. Dedicated Elasticsearch clusters are used to provide high-performance search capabilities.

Data at rest within Altium 365 is encrypted using AWS Key Management Service (KMS) keys. These keys use hardware security modules validated under FIPS 140-2 standards, a U.S. government computer security standard used to approve cryptographic modules. The usage of these encryption keys is logged and monitored. The logs are then sent to our Security Information and Event Management (SIEM) system, allowing us to track when the encryption keys are used

Access to Altium 365 infrastructure that hosts customer data is limited to authorized personnel based on the principle of least privilege. All access is logged, auditable, and continuously monitored by Altium’s dedicated security team.

Secure Communication

Communication between Altium 365 clients, such as a web browser, Altium Designer, or a mobile application, and the Altium 365 cloud platform is only permitted through secure, trusted connections using the HTTPS protocol–a standard approach to secure internet communications over standard ports.

Authentication and Identity Management

To access Altium 365 services that manage sensitive customer data, users must undergo an authentication process for every request. This authentication isn't limited to traditional username and password inputs; it also integrates with Single Sign-On (SSO) systems or Identity Providers (IdPs) like Google and Facebook. These systems may use various credentials, including hardware keys, smart cards, or biometric data like fingerprints, which we do not directly control. Regardless of the method, all sessions are time-limited for security, and any sensitive login information is securely encrypted during transmission. Altium 365 supports SSO using the SAML 2.0 protocol. This feature integrates with most modern IdPs, including OneLogin, Okta, Microsoft Azure AD, and Google Identity. Extended support of SCIM protocol allows organizing centralized user and group provisioning and de-provisioning. Depending on the IdP, you can opt for enhanced protection with multi-factor authentication (MFA).

Distribution and Control

All regions are protected from the wider internet by being hidden behind a web application firewall (WAF) and an application load balancer (ALB), a standard AWS off-the-shelf resource component. This serves two primary purposes: first, to distribute incoming “client” (web browser or Altium Designer) requests across the collection of Elastic Compute Cloud (EC2) instances to distribute the load evenly; second, to act as a firewall between the wider internet and what is effectively a tightly controlled internal network. Requests to service endpoints must come through the load balancer. Connectivity for tasks such as server administration is restricted to internal staff and resources on the internal Altium Corporate network.

Single-Tenancy and Multi-Tenancy Architecture

Altium 365 operates on a multi‑tenancy architecture in which each tenant—currently aligned with the concept of a workspace—receives its own isolated database schema. This model provides strong data separation while leveraging shared cloud infrastructure for efficiency and scale. For organizations requiring deeper isolation, customization, and operational control, Altium offers a Single Tenant Environment (STE): a dedicated instance of the application and its supporting infrastructure. STE delivers high data isolation, predictable performance, and tenant‑specific configuration options, combining the convenience of a hosted service with the control traditionally associated with on‑premises deployments.

Vulnerability Scanning

Production deployments for Altium 365 are subject to vulnerability scanning as part of the release process. Findings are tracked through remediation or documented risk acceptance in accordance with Altium’s Vulnerability Management policy and defined remediation timelines.

Third-party Testing

We annually collaborate with external third parties for penetration testing to ensure we maintain the highest level of security against ever-evolving threats. The development team reviews all feedback from penetration testing and implements necessary updates to our application services and infrastructure. We’re open to sharing the latest executive summary of our penetration test report with interested parties, provided a Mutual Non-Disclosure Agreement (MNDA) is in place.