Bring-your-own-key for Enterprise customers

For most customers, our default envelope encryption (KMS-wrapped DEK held in our GCP project) is the right call — they don't want to operate their own KMS.

For some Enterprise customers, the equation is different. They have an existing KMS provider, an existing key-rotation policy, and a compliance regime that says “the platform vendor must not have unilateral access to encryption keys.”

For those customers we offer Bring-Your-Own-Key (BYOK):

• The customer creates a KEK in their own KMS (GCP, AWS, Azure, or HashiCorp Vault).
• They grant our service account a Decrypt-only role on that KEK.
• We generate a tenant-specific DEK, wrap it under their KEK, and store the wrapped blob in our database (no customer-side data leaves their infrastructure during this — the wrap happens in their KMS).
• Runtime decrypts via their KMS once at container start. If they revoke access, we lose the ability to decrypt — and so do they, until they re-grant.

The customer controls the kill-switch. They rotate keys on their schedule. Audit logs of decrypts go to their KMS, not ours.

Available on Enterprise contracts only — the operational support is non-trivial, and the audit-trail integration takes per-customer time to set up. If you're interested, talk to us.