Encryption
Encryption & Data Protection
AES-256 at rest, TLS 1.3 in transit, and enforced key rotation.
Encryption Everywhere
Encryption is not optional and not configurable. It's on by default, everywhere, always.
| Layer | Standard | Details |
|---|---|---|
| In Transit | TLS 1.3 | All API traffic, inter-service communication, and management plane connections. TLS 1.2 minimum; 1.0/1.1 disabled. |
| At Rest | AES-256 | All storage volumes, database storage, backup archives, and log data. Encryption enabled at the storage layer. |
| In Backup | AES-256 | Backup archives encrypted independently from production. Separate key hierarchy prevents single compromise. |
| Key Management | Managed key service | Centralized key management on CloudPresto infrastructure. |
Customer-Managed Keys
For organizations that require full key ownership, customer-managed keys can be scoped into your engagement. You generate and control the encryption keys; we operate against them without ever owning them.
Key sovereignty is designed into the engagement, not bolted on.
Key Rotation
Key rotation follows a defined policy:
- Scheduled rotation: keys rotated on policy, annually as the baseline, more frequently where the engagement requires it
- Non-disruptive rotation: new keys apply to new writes; existing data is re-protected through key re-wrapping, no downtime
- Emergency rotation: immediate rotation if compromise is suspected
- Rotation audit: rotation events logged with timestamp and key version