End-to-end TLS 1.3 shipped April 2026 Limited Availability · Pilot

FDE On-Prem. Real-time fraud decisioning that runs entirely inside your bank.

Your data stays on your infrastructure. Your PKI stays under your control. Your auditors get evidence, not promises.

Docker Compose Ansible / bare-metal Optional mTLS
Talk to us about an on-prem PoC See the security posture

Two install paths, one codebase

Pick the one that fits your bank's infrastructure team. Same decisioning engine, same dashboard, same audit evidence — different runtime.

Docker Compose

Single-host deployment. 5-service stack: engine, dashboard, PostgreSQL, Redis, nginx. Fastest way for bank infra teams to stand up a full evaluation environment.

  1. 1Drop the release tarball onto the host
  2. 2Pick plain (HTTP) or tls (TLS 1.3 + mTLS) compose overlay
  3. 3gen-certs.sh for Mode A, or drop a bank-signed bundle for Mode B
  4. 4docker compose up -d — live
Best for: banks evaluating, mid-market, single-host labs. Requires: Docker Engine 24+.

Ansible / bare-metal

No Docker required. 7 Ansible roles deploy engine, dashboard, PostgreSQL, Redis, nginx, pgbouncer, plus shared TLS role. Validated on a 2-VM topology (app VM + dedicated PG VM).

  1. 1Define your inventory (app host + PG host)
  2. 2Set fde_tls_internal: true for full-mesh mTLS
  3. 3Mode A: Ansible generates CA. Mode B: drop bank bundle into fde_tls_source_dir
  4. 4ansible-playbook -i inventory.ini site.yml
Best for: tier-1 banks, RHEL shops, zero-trust. Requires: Ansible 2.14+ with Python 3.11.
RHEL / Rocky Linux 8/9 TLS caveat (current release). Redis TLS is deferred, engine + dashboard must be co-located on the same VM, and the cert chain is 7 leaves (not 9). Full 9-leaf TLS posture is available on Ubuntu 22.04 + Debian 12.

Architecture topology

The Ansible 2-VM reference layout. Every internal hop carries TLS 1.3 when fde_tls_internal: true.

FDE on-prem 2-VM topology — App VM (nginx, uvicorn workers, dashboard, Redis) connected to dedicated PostgreSQL VM over TLS 1.3 LAN
Ansible bare-metal 2-VM topology — validated in the RTD internal reference lab. The Compose path collapses this to a single host with co-located PostgreSQL.
Honest fact

nginx is not optional in multi-worker mode. Without it, HTTP keep-alive pins TCP connections to single uvicorn workers and throughput collapses. Auto-installed by the fde-nginx role.

Honest fact

pgbouncer is disabled by default. Benchmarks showed it added 5–20 ms with no throughput benefit because FDE workers maintain warm long-lived asyncpg pools. Enable only at >8 app-tier nodes.

Honest fact

pgbouncer + fde_tls_internal: true is incompatible in v1 — the Ansible role fails that combination intentionally. pgbouncer + TLS is on the roadmap.

Validated banking-tenant performance

Pre-configured banking fraud detection templates (full chain enabled), RTD internal lab, Intel Xeon E3-1245 v5. Lab measurements only — not a performance guarantee. Your hardware, network, tenant config, and rule mix will affect results.

Conservative floor · 2-VM (separate PG)
Ansible bare-metal, two 4 vCPU / 4 GB VMs, plain HTTP
57 RPS
P50 343 ms · P99 577 ms · 0 errors @ c=20 (30 s)
c=1
14.3 RPS · 56 ms
c=5
41.7 RPS · 97 ms
c=10
51.5 RPS · 173 ms
60 s sustained
55 RPS · 364 ms
Lab ceiling · single-host (co-located PG)
Compose, single 8 vCPU host, TLS 1.3 + full-mesh mTLS
75 RPS
P50 260 ms · P99 525 ms · 0 errors @ c=20 (30 s)
60 s sustained
73 RPS · 262 ms
P50 delta vs 2-VM
-83 ms (co-located PG)
TLS overhead
<1% (AES-NI + reuse)
Banking tenant throughput chart — RPS at concurrency 1, 5, 10, 20 for Ansible 2-VM floor and Compose single-host ceiling, zero errors across all levels
Zero-loss invariant

~23,000 banking evaluate requests across both topologies, zero errors (~13,500 Docker Compose TLS + ~10,000 Ansible 2-VM).

Ecommerce baseline (reference)

Same 2-VM lab, ecommerce tenant, plain HTTP: 70.4 RPS, P50 281 ms, P99 427 ms, 0 errors @ c=20. Represents a 3.5× improvement over the first-boot baseline on identical hardware with zero data loss — the headline banking numbers above build on this optimization.

Security & TLS posture

Zero-trust by default when you flip fde_tls_internal: true. Every internal hop is mutually authenticated.

Hop Protocol Cert Auth
Bank client → nginxTLS 1.3Server (edge)Server auth
nginx ↔ engineTLS 1.3EC P-256 leafmTLS
engine → PostgreSQLTLS 1.3EC P-256 leafmTLS sslmode=verify-full
engine → RedisTLS 1.3EC P-256 leafmTLS rediss://
dashboard → engineTLS 1.3EC P-256 leafmTLS
AEAD ciphers only (no CBC, no RC4). EC P-384 CA. 9 leaves on Debian/Ubuntu, 7 leaves on RHEL / Rocky Linux 8/9 (Redis TLS deferred in current release).

Two PKI modes

Two PKI modes — Mode A Ansible generates CA and leaves; Mode B bank supplies signed bundle, Ansible validates then distributes
Mode A for fast PoC. Mode B (Bring-your-own bank PKI; Customer CA mode in technical docs) for production banks that must keep their PKI root under bank control.

Audit evidence auditors can paste into their tooling

PostgreSQL emits a tls_connection event per connection with version, cipher, and verified status. Redis emits tls_handshake_verified at startup and on every reconnect (redis-py does not expose per-socket SSL metadata, so cipher/version are recorded as unknown for Redis).

# Count TLS 1.3 PostgreSQL connections over the last 24h
jq -r 'select(.event=="tls_connection" and .tls_version=="TLSv1.3" and .verified==true)' \
  /var/log/fde/audit.ndjson | wc -l

# Any failed TLS verifications?
jq -r 'select(.event=="tls_connection" and .verified==false) | {ts, peer, reason}' \
  /var/log/fde/audit.ndjson

Queries map directly to FFIEC CAT, MAS TRM §10, and BNM RMiT §11 audit asks.

Cert expiry monitor runs as a systemd timer (warns at 60 days, errors at 14 days). Rotation is operator-triggered and mode-specific: Mode A reruns ansible-playbook --tags common,tls-rotate; Mode B banks reissue their bundle and operator reruns --tags common,tls (--tags tls-rotate is explicitly not supported in Mode B). Reload-not-restart where supported.
Free download

FDE TLS & Audit Pack

PDF posture summary, audit-query catalog (sample jq queries mapped to FFIEC CAT / MAS TRM §10 / BNM RMiT §11), and cert lifecycle runbook. Share it internally — no form gate, no lead capture.

Download (1 PDF + 2 MD)

Compliance posture

FDE ships with built-in rule-to-regulation mappings. We don't claim certification — we produce the evidence auditors use to certify your deployment.

Singapore
MAS TRM
Technology Risk Management
Philippines
BSP-1140
BSP Circular 1140
Indonesia
OJK-POJK
12/POJK.03/2018
Malaysia
BNM-RMIT
Bank Negara RMiT
US
FFIEC
CAT

FDE supports requirements such as those listed above. Consult your own counsel for formal compliance mapping. Data residency is a deployment property — FDE runs inside your data-residency boundary; cross-region data movement is your choice and your network fabric.

Talk to us about an on-prem PoC

30-minute technical walkthrough with the team that built it. We'll cover topology, TLS posture, cert lifecycle, and what an evaluation deployment looks like in your environment.

Talk to Us