§ 00·0x00/CASE STUDY / HEALTHCARE
Unique key per value. Provable ownership.
“Implementing robust encryption with CipherStash gave us peace of mind, knowing no one but the original data owners can access their data.”— JOURNALIA
§ 01·0x01/ABOUT / THE COMPANY
Norwegian health-tech, built on consent.
Journaliais an AI-driven app that transcribes patient consultations and generates structured medical notes so physicians can focus fully on their patients.
Operating within Europe, Journalia must comply with stringent data security and privacy regulations, including the GDPR special categories for health data.
§ 02·0x02/REQUIREMENTS / THE BRIEF
Three constraints, one solution.
01
Encryption
Patient notes contain PII and health data, a special category under the GDPR. Traditional application-level encryption uses a single key per database or, at best, one per table. With CipherStash Encryption, Journalia generates a unique key for every value in every column, in every row, in every table. The blast radius of a compromised key shrinks to a single field.
02
Patient confidentiality
Only the doctor who recorded a note should be able to decrypt and read it. CipherStash enables permissions to be scoped down to individual pieces of data, provable with cryptography. Context-locked encryption ties every value to the identity that captured it. Decryption requires both a valid key and the data owner's JWT, issued by the IdP. Unauthorized access is virtually impossible, and every access attempt is logged.
03
Performance
ZeroKMS, the CipherStash key manager, is both fast and scalable thanks to bulk operations and key binding. It was designed for database encryption use cases. Benchmarks show ZeroKMS is 14x faster than AWS KMS when using a data key per record, and performance stays consistent even at large data volumes. No data-key caching or reuse is needed for decryption.
§ 03·0x03/DECISION / WHY CipherStash
Why they chose CipherStash.
“CipherStash enabled us to achieve the same stringent level of encryption without needing to implement custom envelope encryption using AWS KMS or similar technologies.”— JOURNALIA
Initially Journalia planned to satisfy their encryption requirements with a combination of envelope encryption and a custom integration against their IdP. They quickly realised that building the solution themselves was not viable given the complexity of the problem.
With CipherStash Encryption they found a solution built on well-understood, industry-standard primitives like AES and SHA2, fully covered by our compliance program, and fit for their tech stack: Drizzle ORM with Next.js, Postgres on RDS, and Clerk as the IdP.
// CipherStash Encryption with a lock contextimport { encryptionClient, noteTable } from '@/encryption'import { getLockContext } from '@/auth'const lockContext = await getLockContext()const encryptedData = await encryptionClient .encrypt('Sensitive data from consultation', noteTable) .withLockContext(lockContext)§ 04·0x04/IMPLEMENTATION / DELIVERY
Three weeks to production.
Journalia was confident enough in our solution to move straight to implementation without running a proof of concept. Implementation, including customization for their IdP, took around three weeks from kickoff to production traffic routed through CipherStash.
Journalia has been able to solve their complex security challenge in a way that lets their solution be used easily by their customers, and released their app on the original timeline.
3 weeks
Kickoff to production
14x
Faster than AWS KMS
∞
Patient audit trail
§ 05·0x05/NEXT / YOUR STACK
Build the same guarantees.
If you are building a product where your customers are legally responsible for the data you hold, talk to us. Every CipherStash deployment starts with a single encrypted field and scales from there.