Skip to content
CloudPresto CloudPresto
Back to Knowledge Base
Encryption

Encryption & Data Protection

AES-256 at rest, TLS 1.3 in transit, and enforced key rotation.

Encryption Everywhere

Encryption is not optional and not configurable. It's on by default, everywhere, always.

LayerStandardDetails
In TransitTLS 1.3All API traffic, inter-service communication, and management plane connections. TLS 1.2 minimum; 1.0/1.1 disabled.
At RestAES-256All storage volumes, database storage, backup archives, and log data. Encryption enabled at the storage layer.
In BackupAES-256Backup archives encrypted independently from production. Separate key hierarchy prevents single compromise.
Key ManagementManaged key serviceCentralized key management on CloudPresto infrastructure.

Customer-Managed Keys

For organizations that require full key ownership, customer-managed keys can be scoped into your engagement. You generate and control the encryption keys; we operate against them without ever owning them.

Key sovereignty is designed into the engagement, not bolted on.

Key Rotation

Key rotation follows a defined policy:

  • Scheduled rotation: keys rotated on policy, annually as the baseline, more frequently where the engagement requires it
  • Non-disruptive rotation: new keys apply to new writes; existing data is re-protected through key re-wrapping, no downtime
  • Emergency rotation: immediate rotation if compromise is suspected
  • Rotation audit: rotation events logged with timestamp and key version