/PCI-DSS-4
Disk encryption alone stopped counting in March 2025.
PCI DSS 4 requires more than disk encryption for stored cardholder data. Field-level encryption meets it, queries intact.
PCI DSS 4 →Queryable encryption for Postgres. Your data stays encrypted while your app is using it, and only an identity-bound policy can decrypt a value.
§ 01·0x01/THE AGENTIC ERA
Agents hold your database credentials, and prompt injection is the number one LLM risk. CipherStash caps the blast radius: agents return only what the requesting user can decrypt. The attack still executes. The exfiltration does not.
§ 02·0x02/THE INFRASTRUCTURE
Your database stores only ciphertext. Supabase, Neon, and RDS never see your plaintext, and neither do we. Your team decrypts only under policy, and every decryption is logged.
Step through the three states below. One table, one query, three realities.
postgres > SELECT * FROM patients WHERE condition = 'hypertension'| id | name | dob | condition | notes |
|---|---|---|---|---|
| p_01 | Alex Rivera | 1982-04-12 | hypertension | lisinopril 10mg |
| p_02 | Morgan Chen | 1995-11-03 | type II diabetes | metformin 500mg |
| p_03 | Priya Patel | 1971-07-22 | hypertension | atenolol 25mg |
| p_04 | Samir Okafor | 2001-02-17 | hypertension | lisinopril 10mg |
| p_05 | Leah Kowalski | 1988-09-30 | asthma | albuterol inhaler |
SUPPORTED DATA STORES
Native plugins for Drizzle and Prisma. Connectors for Auth0 and Clerk.
§ 03·0x03/HOW IT WORKS
Control follows the data, not the perimeter. A perimeter breaks the moment someone gets inside it. Data-level access control has no inside.
Switch identities below. The same records. Four different realities.
| id | owner | name | dob | condition |
|---|---|---|---|---|
| p_01 | dr.smith | Alex Rivera | 1982-04-12 | hypertension |
| p_02 | dr.jones | mBk|UTcQkcxABP+4UtNqkKsb5p== | mBk|bvklgqmMZOacU/PRlEIRvY== | mBk|xnR1nWZ1Q5WDWkgBmwtFzD== |
| p_03 | dr.smith | Priya Patel | 1971-07-22 | hypertension |
| p_04 | dr.jones | mBk|HxDQvhXkWvyqgOXzMGj0KJ== | mBk|qebLIPw3PE0xhoCIIpws+s== | mBk|n1lyQbKU5a4ufkh/1u+pqh== |
| p_05 | dr.jones | mBk|Ddu9nPfKsxRqpn8KygaZ0u== | mBk|B4OU8aZENJvYsOQc0LOjUE== | mBk|CwvoLxj7Obe6+xZ2zzABNN== |
§ 04·0x04/COMPLIANCE
Field-level encryption is becoming the requirement, not the recommendation. CipherStash meets it without breaking your queries.
/PCI-DSS-4
PCI DSS 4 requires more than disk encryption for stored cardholder data. Field-level encryption meets it, queries intact.
PCI DSS 4 →/HIPAA
A proposed HIPAA update would make ePHI encryption mandatory. Get ahead of it on the Postgres you already run.
HIPAA →§ 05·0x05/IN PRODUCTION
CipherStash enabled us to achieve the same stringent level of encryption without needing to implement custom envelope encryption using AWS KMS or similar technologies.
READ CASE STUDY →With CipherStash, we were able to implement end-to-end encryption while maintaining full search functionality across our entire platform.
READ CASE STUDY →1B+
Encryption ops in production
14x
Faster than AWS KMS
<1ms
Query overhead
SOC 2 TYPE II
Certified
Integrate CipherStash into your stack and encrypt your first fields in 15 minutes. Or talk to our team about production architecture.