Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Digital Messaging storage methods and controls

Updated on November 6, 2023

Digital Messaging Service secures your data by taking advantage of encryption in transit and using Amazon Web Services (AWS) for data storage. Benefit from industry-approved security practices and a range of storage repositories, including AWS DynamoDB, AWS S3, and AWS CloudWatch.

Digital Messaging Service secures all data in transit using the TLS 1.2 protocol. The system manages access to the data through AWS Identity and Access Management (IAM) roles. Pegasystems employs industry-standard security practices, including need-to-know, split responsibilities, and least privilege principles for Pega Platform or Pega Customer Service developers performing system updates, logging, or other maintenance and monitoring tasks.

Digital Messaging Service, uses the following data storage repositories:

  • AWS DynamoDB
  • AWS S3
  • AWS CloudWatch

AWS DynamoDB

The AWS DynamoDB data storage repository includes the following types of data:

  • Administrative data
  • Client messaging identity details
  • CSR messages (temporary)
  • Customer messages (temporary)
  • Customer messaging identity details
Note: For customer messaging identity details, Digital Messaging Service stores each customer's contact ID on behalf of the client to streamline messaging communications and identify recurring visitor interactions for the CSR. Contact IDs, also known as messaging identity information, represent the customer's public account ID, for example, a Facebook ID, SMS ID, WhatsApp ID, or phone number.

Data stored in AWS DynamoDB is encrypted at rest using AWS Key Management Service (KMS) keys.


Digital Messaging Service uses the AWS S3 data storage repository for storing objects such as file attachments, which include:

  • CSR message attachments (temporary)
  • Customer message attachments (temporary)

AWS S3 storage uses partitions, providing each client with their own private bucket. Communication with AWS S3 client buckets occurs through private protocols and networks (AWS APIs) or public networks (HTTPS). When Digital Messaging Service transfers message attachments by using public networks, the system uses a temporary signed URL with a 15-minute time-to-live (TTL) to ensure secure communication. Digital Messaging Service temporarily stores all file attachments and automatically deletes them after 24 hours. The attachment link sent from Digital Messaging Service is valid for up to 60 minutes. Permanent storage of file attachments takes place in the Pega Platform or Pega Customer Service application.

For objects at rest in AWS S3 client buckets, the system employs standard AWS S3 encryption.

AWS CloudWatch

AWS CloudWatch is a monitoring and management service that Digital Messaging Service uses for event logging. AWS CloudWatch retains the following information within the service:

  • Client messaging identity details
  • Customer messaging identity details
  • System log messages
Note: Customer message identity details, specifically the contact ID, are only visible in the AWS CloudWatch storage if an error or warning related to a troubleshooting message is present in the logs.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us