End-to-end TLS 1.3 shipped April 2026 Limited Availability · Pilot

FDE On-Prem. Real-time fraud decisioning that runs entirely inside your bank.

Your data stays on your infrastructure. Your PKI stays under your control. Your auditors get evidence, not promises.

Docker Compose Ansible / bare-metal Optional mTLS

Two install paths, one codebase

Pick the one that fits your bank's infrastructure team. Same decisioning engine, same dashboard, same audit evidence — different runtime.

Docker Compose

Single-host deployment. 5-service stack: engine, dashboard, PostgreSQL, Redis, nginx. Fastest way for bank infra teams to stand up a full evaluation environment.

  1. 1Drop the release tarball onto the host
  2. 2Pick plain (HTTP) or tls (TLS 1.3 + mTLS) compose overlay
  3. 3gen-certs.sh for Mode A, or drop a bank-signed bundle for Mode B
  4. 4docker compose up -d — live
Best for: banks evaluating, mid-market, single-host labs. Requires: Docker Engine 24+.

Ansible / bare-metal

No Docker required. 7 Ansible roles deploy engine, dashboard, PostgreSQL, Redis, nginx, pgbouncer, plus shared TLS role. Validated on a 2-VM topology (app VM + dedicated PG VM).

  1. 1Define your inventory (app host + PG host)
  2. 2Set fde_tls_internal: true for full-mesh mTLS
  3. 3Mode A: Ansible generates CA. Mode B: drop bank bundle into fde_tls_source_dir
  4. 4ansible-playbook -i inventory.ini site.yml
Best for: tier-1 banks, RHEL shops, zero-trust. Requires: Ansible 2.14+ with Python 3.11.
RHEL / Rocky Linux 8/9 TLS caveat (current release). Redis TLS is deferred, engine + dashboard must be co-located on the same VM, and the cert chain is 7 leaves (not 9). Full 9-leaf TLS posture is available on Ubuntu 22.04 + Debian 12.

Architecture topology

The Ansible 2-VM reference layout. Every internal hop carries TLS 1.3 when fde_tls_internal: true.

FDE on-prem 2-VM topology — App VM (nginx, uvicorn workers, dashboard, Redis) connected to dedicated PostgreSQL VM over TLS 1.3 LAN
Ansible bare-metal 2-VM topology — validated in the RTD internal reference lab. The Compose path collapses this to a single host with co-located PostgreSQL.
Honest fact

nginx is not optional in multi-worker mode. Without it, HTTP keep-alive pins TCP connections to single uvicorn workers and throughput collapses. Auto-installed by the fde-nginx role.

Honest fact

pgbouncer is disabled by default. Benchmarks showed it added 5–20 ms with no throughput benefit because FDE workers maintain warm long-lived asyncpg pools. Enable only at >8 app-tier nodes.

Honest fact

pgbouncer + fde_tls_internal: true is incompatible in v1 — the Ansible role fails that combination intentionally. pgbouncer + TLS is on the roadmap.

Validated banking-tenant performance

Every number below runs the full banking rule chain on every request — over a TLS 1.3 mutual-TLS service mesh, with PII-encrypted decision snapshots and synchronous zero-data-loss persistence — on a single 8-core KVM lab machine. Zero errors in every run. Lab measurements only — not a performance guarantee. Your hardware, network, tenant config, and rule mix will affect results.

Published baseline
VMware · Apr 2026
2× (4 vCPU / 4 GB) VMs
70.8 RPS
P50 273 ms · 0 errors @ c=20
Our previously published like-for-like result.
Like-for-like on KVM +7%
Jun 2026
2× (4 vCPU / 4 GB) VMs · larger rule pack
75.5 RPS
0 errors @ c=20
Same VM shapes & posture as VMware — beaten by 7%, on a larger rule pack.
Single host, 8 vCPU
KVM · Jun 11 engine
App VM 8 vCPU + PostgreSQL VM 4 vCPU
103.3 RPS
P50 147 ms · P95 446.5 ms · 0 errors
Pre-optimization engine on the 8-core lab machine.
Optimized engine 2.5×
KVM · Jun 12 · same hardware
293.5 RPS peak @ c=40
257.1 RPS
P50 74 ms · P95 123 ms · 0 errors @ c=20
2.5× the throughput of our published 103.3 RPS baseline — and half the p50 latency — from one day of engine optimization on identical hardware.
Test bed & method. Every figure above was measured on a single laptop-class machine — Intel i7-11800H (8 cores / 16 threads), 45 GB RAM — running Ubuntu KVM with two guest VMs: an application VM (8 vCPU / 8 GB, 8 workers) and a PostgreSQL 16 VM (4 vCPU / 4 GB). Load was generated against /v1/risk/evaluate by RTD's open benchmark harness (JWT + HMAC auth, concurrency 1→40, plus a 60 s sustained run at c=20; database truncated before each run). The engine is stateless and scales linearly per core, so server-class hardware will exceed these numbers. These are lab measurements — not a performance guarantee, and not an extrapolated per-server capacity claim.
On-prem KVM benchmark in full banking posture — sustained RPS: VMware 2-VM 70.8, KVM 2-VM 75.5 (+7%), KVM 8 vCPU 103.3, KVM optimized engine 257.1 (293.5 peak); latency p50/p95 dropping from 147/446.5 ms to 74/123 ms. Single 8-core KVM lab machine, zero errors.
Zero data loss, zero errors

Every event, all rule triggers, the audit outbox, and the PII-encrypted decision snapshot are durably committed before the API responds. We re-verify the invariants after every run — events equal requests, rule-trigger rows equal 33 × events, snapshots map 1:1 — and recorded zero errors in every published run.

What drove the 2.5×

Profiling-driven engine optimization on identical hardware — hot-path CPU elimination, configuration caching, and connection-pool tuning. No safety posture was relaxed: the full 33-rule chain, mutual-TLS mesh, PII-encrypted snapshots, and synchronous zero-data-loss persistence stayed on for every run.

Looking for horizontal scale-out across nodes? See the cloud multi-node benchmark — 1,000+ TPS, rule engine → A different test on different hardware — read the two side by side, not added together.

Security & TLS posture

Zero-trust by default when you flip fde_tls_internal: true. Every internal hop is mutually authenticated.

Hop Protocol Cert Auth
Bank client → nginxTLS 1.3Server (edge)Server auth
nginx ↔ engineTLS 1.3EC P-256 leafmTLS
engine → PostgreSQLTLS 1.3EC P-256 leafmTLS sslmode=verify-full
engine → RedisTLS 1.3EC P-256 leafmTLS rediss://
dashboard → engineTLS 1.3EC P-256 leafmTLS
AEAD ciphers only (no CBC, no RC4). EC P-384 CA. 9 leaves on Debian/Ubuntu, 7 leaves on RHEL / Rocky Linux 8/9 (Redis TLS deferred in current release).

Two PKI modes

Two PKI modes — Mode A Ansible generates CA and leaves; Mode B bank supplies signed bundle, Ansible validates then distributes
Mode A for fast PoC. Mode B (Bring-your-own bank PKI; Customer CA mode in technical docs) for production banks that must keep their PKI root under bank control.

Audit evidence auditors can paste into their tooling

PostgreSQL emits a tls_connection event per connection with version, cipher, and verified status. Redis emits tls_handshake_verified at startup and on every reconnect (redis-py does not expose per-socket SSL metadata, so cipher/version are recorded as unknown for Redis).

# Count TLS 1.3 PostgreSQL connections over the last 24h
jq -r 'select(.event=="tls_connection" and .tls_version=="TLSv1.3" and .verified==true)' \
  /var/log/fde/audit.ndjson | wc -l

# Any failed TLS verifications?
jq -r 'select(.event=="tls_connection" and .verified==false) | {ts, peer, reason}' \
  /var/log/fde/audit.ndjson

Queries map directly to FFIEC CAT, MAS TRM §10, and BNM RMiT §11 audit asks.

Cert expiry monitor runs as a systemd timer (warns at 60 days, errors at 14 days). Rotation is operator-triggered and mode-specific: Mode A reruns ansible-playbook --tags common,tls-rotate; Mode B banks reissue their bundle and operator reruns --tags common,tls (--tags tls-rotate is explicitly not supported in Mode B). Reload-not-restart where supported.
Free download

FDE TLS & Audit Pack

PDF posture summary, audit-query catalog (sample jq queries mapped to FFIEC CAT / MAS TRM §10 / BNM RMiT §11), and cert lifecycle runbook. Share it internally — no form gate, no lead capture.

Download (1 PDF + 2 MD)

Compliance posture

FDE ships with built-in rule-to-regulation mappings. We don't claim certification — we produce the evidence auditors use to certify your deployment.

Singapore
MAS TRM
Technology Risk Management
Philippines
BSP-1140
BSP Circular 1140
Indonesia
OJK-POJK
12/POJK.03/2018
Malaysia
BNM-RMIT
Bank Negara RMiT
US
FFIEC
CAT

FDE supports requirements such as those listed above. Consult your own counsel for formal compliance mapping. Data residency is a deployment property — FDE runs inside your data-residency boundary; cross-region data movement is your choice and your network fabric.

Talk to us about an on-prem PoC

30-minute technical walkthrough with the team that built it. We'll cover topology, TLS posture, cert lifecycle, and what an evaluation deployment looks like in your environment.

Talk to Us