Our server is served by TLS via proper constraints in the configuration of Nginx, which redirects the Non-SSL request to SSL via TCP instead of UDP.
We also have enabled flag of force_ssl at our application layer so that no Non-SSL request is served by our application.
Our RDS networks are only accessible by whitelisted IPs.
Our sensitive data is never shared through direct access. There is always another layer on it. If we allow access to our data through API, then we can whitelist the IPs which can access our data. We will be integrating some throttling features to block IPs so that we can prevent DDos attacks.
Our application is a multi-tenant system that allows only valid subdomains to interact with our application.