8.1.2 Security & Compliance — Data Protection — Data Encryption — At Rest and In Transit

Data encryption is a foundational control used to protect information against unauthorized access. The platform applies encryption by default for stored data and all network communication to ensure confidentiality and integrity across environments.

Encryption at Rest

All sensitive data stored by the platform is encrypted at rest using industry-standard algorithms.

Protected data includes:

Databases and backups

File and media storage

Credentials and secrets

Encryption keys are managed securely and rotated according to policy.

Key Management

Encryption keys are isolated from application code and access-controlled.

Key management principles:

Separation of keys and data

Regular rotation

Restricted access

Direct access to raw keys is never exposed to tenants.

Encryption in Transit

All data transmitted between clients, services, and external integrations is encrypted in transit.

Transport guarantees:

HTTPS enforced for all public endpoints

Secure TLS configurations

Certificate validation

Unencrypted connections are rejected.

Internal Service Communication

Internal service-to-service communication also uses encrypted channels to prevent lateral movement.

Backup and Snapshot Protection

Backups and snapshots inherit the same encryption guarantees as primary storage. Backup encryption is applied before persistence.

Compliance Alignment

Encryption practices align with common compliance frameworks and regulatory expectations.

Aligned standards include:

GDPR security requirements

ISO 27001 principles

Industry best practices

Monitoring and Verification

Encryption configurations are monitored continuously. Misconfigurations or weak ciphers are detected and remediated.

Security and Isolation

Encryption is applied consistently across tenants. No tenant can influence another tenant’s encryption configuration or access encrypted material outside its scope.