All traffic to Timescale Cloud services is always protected by TLS (SSL). TLS ensures that third-parties can't eavesdrop or modify the data while it's in transit between the Timescale Cloud services and clients accessing the services.
Every Timescale Cloud project has its own private Certificate Authority which is used to sign certificates that are used internally by the Timescale Cloud services to communicate between different cluster nodes and to Timescale Cloud management systems. It's possible to download the project's CA certificate from the Timescale Cloud web console in the service view (click Show CA certificate) and establish the trust by setting up your browser or client to trust that certificate.
All server certificates are always signed by the Timescale Cloud project CA.