During internal pentest/compliance test it has been identified that unencrypted traffic exists between application nodes. It has been identified to be a hazelcast connection between the nodes. We'd like to confirm that PEGA uses hazelcast for technical traffic only (control/management plane type of information). In other words information exchange using this protocol does not contain application data, which would then potentially include sensitive information. 

We are aware it is possible to encrypt this communication as well, however we need to confirm also in as-is state.