§ 00·0x00/CASE STUDY / FINANCIAL CRIME
Searchable JSONB. Audit by construction.
“With CipherStash, we were able to implement end-to-end encryption while maintaining full search functionality across our entire platform.”— BNDRY
§ 01·0x01/ABOUT / THE COMPANY
Financial crime prevention for a regulated industry.
BNDRY is the flagship product of Identitii, a publicly traded Australian technology company that helps organisations embed risk and compliance capability into their products, with a particular focus on preventing financial crime.
In the tightly regulated finance sector, privacy expectations are high and rising. CipherStash Proxy is part of the core proof that BNDRY protects sensitive customer data.
§ 02·0x02/REQUIREMENTS / THE BRIEF
Three constraints, one Proxy.
01
Protect JSONB data for Smart Forms
BNDRY's Smart Forms feature lets customers design their own forms to streamline due diligence. Form definitions and responses are stored as JSONB. CipherStash Proxy supports encrypted JSONB, so sensitive data collected via forms stays protected. Because encrypted data is also searchable, BNDRY can offer searchable form responses knowing the data is never decrypted to serve a query.
02
Decrypt only for authorized viewers
BNDRY's risk teams view sensitive customer data and decrypt it only for authorized users. With CipherStash Proxy, BNDRY customers can trust that every decrypted view is logged. The data stays fully encrypted in the database, not just at rest, and decryption happens through Proxy under identity-bound policy.
03
Audit trails for compliance
CipherStash Proxy captures detailed logs of all data access: who accessed the data, what data was accessed, when the access occurred, and how. That audit trail lets BNDRY satisfy customer GRC requirements across HIPAA, ISO27001, SOC 2, PCI-DSS, and GDPR without bespoke logging layers.
§ 03·0x03/DECISION / WHY CipherStash
Vault left gaps. Proxy filled them.
BNDRY previously trialled HashiCorp Vault. It did not give them the straightforward, end-to-end data protection they needed. CipherStash Proxy fills that gap with fully searchable encryption in use.
As BNDRY grows their own product offering, Proxy also gives them the flexibility to offer a self-hosted BNDRY option to their customers. Low-friction procurement made the decision easy: CipherStash has SOC 2 Type 2 certification, a publicly accessible trust centre, and a base-plus-usage pricing model that scales with BNDRY.
§ 04·0x04/IMPLEMENTATION / DELIVERY
Incremental rollout. Zero app changes.
BNDRY runs a strongly DevOps-focused team, using infrastructure as code with a fully composable architecture. The implementation model for CipherStash Proxy fits perfectly: Proxy deploys as a service in their Kubernetes cluster on Amazon EKS.
BNDRY uses Postgres with row-level security, a Go backend, and a Vue.js frontend. The team validated our solution by using the Encryption module for Go, then moved to the transparent Proxy deployment with no changes required to the application. They deployed Proxy without encryption during testing to validate the path, then encrypted database columns incrementally to build confidence before rolling out fully.
0
App changes required
5
Compliance frameworks
∞
Audit trail
§ 05·0x05/NEXT / YOUR STACK
Transparent encryption without code changes.
If you are retrofitting encryption onto a live Postgres workload without touching application code, CipherStash Proxy is the deployment model to evaluate. Read the docs or book time with our team.