# CipherStash - Amber Electric Customer Story

> I don't have a lot of patience for tools that don't meaningfully improve the actual underlying security.
> - John Barton, CTO, Amber Electric

## About Amber Electric

[Amber Electric][1] is a climate-focused energy company that started in Australia by giving residential customers direct access to the wholesale energy market.
What began as a bet on a fairer, greener grid has grown into a platform that puts real-time pricing and clean-energy choice in the hands of everyday households.

Amber is now expanding internationally, which means handling more of their own data and significantly more customer data across divergent regulatory regimes including the GDPR.
Each new market brings a new compliance bar, and Amber needed a foundation that could scale with that reality rather than slow it down.

![Amber Electric](/images/case-studies/amber.webp)

## Amber's requirements

### No security theater

When John Barton, CTO at Amber Electric, ran vendor selection he was explicit about what he did not want: security theater.
He needed tools that meaningfully improved the actual underlying security posture of the product, not boxes to tick for a questionnaire.
At the same time, the solution had to satisfy the external compliance asks coming from enterprise clients and partner security teams.

### Multi-regulatory compliance

As Amber expands internationally, customer data obligations multiply.
GDPR is the most visible requirement, but each new jurisdiction comes with its own rules about how personal information is stored, accessed, and audited.
Amber needed a data protection layer that could meet the bar of each regulatory regime as they hit it, without re-platforming every time.

### Fits the existing AWS + TypeScript stack

Amber runs a modern AWS stack, with most of their application code deployed as Lambda functions written in TypeScript, backed by Postgres and DynamoDB.
Any encryption solution had to drop into that stack natively and stay out of the way of the product team's day-to-day workflow.

## The CipherStash solution

Amber adopted the [CipherStash Encryption SDK][2], called directly from their TypeScript Lambda code at every read and write boundary against both Postgres and DynamoDB.
Sensitive customer fields are encrypted on the way in and decrypted only in the right context on the way out - there is no separate proxy hop and no change to how Amber operates their databases.

A signed authentication context is posted everywhere data is touched, which produces a clear, provable audit trail of when and where individual customer data is accessed, and by whom.
That audit trail is not a bolt-on log pipeline - it is a cryptographic property of how the data is accessed.
For Amber's compliance conversations with clients and regulators, that shifts the discussion from "trust our logs" to "here is the cryptographic evidence".

## Developer experience

The process of working with CipherStash alongside AWS was, in John's words, "really collaborative".
The cryptographic solution and its AWS integration were elegant enough that encryption became "really transparent to the developer experience" in ordinary workflows - engineers kept shipping features against Postgres and DynamoDB without rewiring their mental model.

That transparency matters when the surrounding business is moving fast.
Security controls that force developers to detour around them tend to get worked around; controls that slot into the stack tend to get used.

## Business outcome

Adopting CipherStash let Amber hit tough timelines.
They delivered new tenant solutions for overseas clients, satisfied the security teams asking hard compliance questions, and did it with minimal impact on the core product team's roadmap.

As Amber continues to expand globally, CipherStash meets the need of each compliance regime as they hit it - rather than forcing a fresh security project for every new market.

> Security and agility has historically been a tradeoff. There are some really good vendors, and CipherStash is one of them, for having that kind of startup, agility-friendly, secure base.
> - John Barton, CTO, Amber Electric

[1]: https://www.amber.com.au
[2]: https://github.com/cipherstash/stack