LinkedIn tracking pixel

DLAC - Data level access control

90B 9D2E4 10F4'7 CCD6735C67. FE8A'D1 18BC84CD.

Postgres stores, indexes, and searches ciphertext. Only an identity-bound policy can decrypt a value. This is Data Level Access Control.

One platform: searchable encryption, value-level access policies, on-demand keys, and a cryptographic audit trail. Built into the Postgres you already run.

VIEW DOCS
stack.ts[ENCRYPTED]
import { encryption, disclosure } from '@cipherstash/stack'

// Encrypt every field with a unique key
const patient = await db.patients.create({
  name:      encryption.encrypt(),
  dob:       encryption.encrypt(),
  diagnosis: encryption.encrypt(),
})

// Query encrypted fields. No decryption required.
const results = await db.patients.findMany({
  where: { diagnosis: encryption.match('hypertension') },
})

SEARCHABLE ENCRYPTION · VALUE-LEVEL ACCESS · ON-DEMAND KEYS · CRYPTOGRAPHIC AUDIT · SECRETS

§ 01·0x01/WHAT HAPPENS ON A REQUEST

What happens when your app touches data.

The whole platform is visible in the path of a single value. Six steps, and plaintext never leaves your application.

01

Encrypt

Your app calls the SDK.

One typed call to encrypt a value. The SDK knows your schema, so encrypted fields are typed like any other field.

02

Derive

ZeroKMS derives a key for that one value.

The key is bound to the caller’s identity and policy. Derived on demand, used once, never stored.

03

Store

Ciphertext lands in your Postgres.

The encrypted value and its EQL index terms are written to your database. Postgres never receives plaintext.

04

Query

Your queries run as-is.

EQL operators compare ciphertext using ordinary Postgres indexes. Equality, range, and free-text search, with sub-millisecond overhead.

05

Decrypt

Decryption happens in your app, under policy.

Only values the requesting identity is authorized to see are decrypted. Everyone else gets ciphertext, including admins and agents.

06

Audit

Every decryption is recorded.

Who, what, when, from where. On by default. Immutable by construction.

§ 02·0x02/THE ARGUMENT

Three ways teams protect data today. One reason they aren't enough.

/VS-THE-PERIMETER

A perimeter fails the moment someone is inside it.

Perimeters defend a boundary around plaintext. One leaked credential makes everything inside readable. DLAC removes the trusted interior: every value an attack reaches is ciphertext with no key.

DLAC has no inside to break into.

/VS-ROW-LEVEL-SECURITY

RLS decides which rows return. DLAC protects the values in them.

RLS is the right tool for query-time authorization, and CipherStash works alongside it. Once a row is returned, RLS is done. CipherStash keeps each value encrypted wherever it travels.

Defense in depth: RLS at the query, DLAC on the data.

/VS-COMPLIANCE-FIRST

Compliance is the receipt, not the goal.

A compliance program proves you passed an audit. DLAC removes the exposure the audit checks for. The auditor gets a cryptographic trail instead of a policy document.

Build privacy-first; collect compliance as a byproduct.

AT REST, IN TRANSIT, AND IN USE →

§ 03·0x03/DATA LEVEL ACCESS CONTROL

Every value carries its own policy.

Every sensitive value is encrypted with a unique, identity-bound key. Attackers, over-permissioned agents, and curious insiders all see the same thing: ciphertext with no key.

/ENCRYPTION

Searchable field-level encryption.

Range, exact-match, and free-text search over encrypted fields, with sub-millisecond overhead on your existing indexes. No new database, no migration.

This removes the constraint that made plaintext storage unavoidable.

  • Range, fuzzy text, and JSON queries over ciphertext
  • Works with existing Postgres indexes
  • <1ms query overhead
  • 100,000x faster than fully homomorphic encryption
  • Quantum safe
ENCRYPTION →

/SELECTIVE-DISCLOSURE

Value-level access control.

Every encrypted value carries a policy: who can read it, under what conditions. The decision happens at decryption, wherever the data ends up. Works alongside Row Level Security.

An attacker with the agent's credentials decrypts nothing.

  • Per-value access policy
  • Enforced at decryption, wherever the data goes
  • Escalation workflows for sensitive access
  • Agent-safe by design

/POWERED-BY-ZEROKMS

Keys derived on demand, never stored.

ZeroKMS is 14x faster than AWS KMS, with keys derived on demand and never stored. Identity and policy in every key.

This is what makes 'encrypt every field' deployable.

  • 14x the performance of AWS KMS
  • Keys derived on demand, never stored
  • Identity and policy baked into every key
  • 9 global regions
ZEROKMS →

/SECRETS (COMING SOON)

Secrets without the .env.

Every secret encrypted at the field level. Accessible only to the right identity, at the right time. Cryptographically isolated environments. Full audit trail.

Never accidentally leak a secret again.

  • Type-safe SDK
  • Cryptographically isolated environments
  • CLI management
  • Full audit trail
JOIN THE WAITLIST →

§ 04·0x04/CRYPTOGRAPHIC AUDIT TRAIL

Every access event. Cryptographically proven.

Every decryption recorded: who, what, when, from where, in what context. On by default. Immutable by construction.

Cryptographic audit trails give continuous assurance. When a breach occurs or a compliance audit arrives, you have proof.

1B+

Operations in production

Audit trail

HIPAA / SOC 2 / GDPR

Compliance

24/7

Continuous assurance

§ 05·0x05/HOW CipherStash IS STRUCTURED

Three primitives. Built to scale with usage, not headcount.

01

Data keys

The unit of encryption.

One data key is one encryption operation. Data keys are consumed when your application writes sensitive data, and only then.

Decryption is always free. You are never charged to access your own data, run an audit, or leave.

02

Keysets

The unit of isolation.

A keyset is a cryptographically separated group of keys. A single-tenant app uses one. A multi-tenant SaaS provisions one per customer, with provable separation.

Keysets scale with the complexity of your security architecture.

03

Clients

The unit of identity.

A client is any entity that talks to CipherStash: a developer, an app instance, a pipeline, an agent. Clients are how you grant and revoke access to keysets.

Every developer is a client. Every application is a client. Every agent is a client.

§ 06·0x06/WORKS IN YOUR STACK

Up and running in 15 minutes.

Works with any managed Postgres provider. Plugins for Drizzle and Prisma. Connectors for Auth0 and Clerk. Open-source SDKs starting with TypeScript, expanding to every major language.

No vault. No detour. Your data never leaves your stack. It just stops being plaintext.

SUPABASE · NEON · PLANETSCALE · CRUNCHY · VERCEL · NILE · TIGER · PRISMA · DRIZZLE · AUTH0 · CLERK

§ 07·0x07/PRIVACY-FIRST USE CASES

One infrastructure layer. Every sensitive data problem.

01

AI & Agentic Security

A compromised agent's blast radius is your database permissions. DLAC limits it to what the requesting user can decrypt. Prompt injection still executes. Exfiltration doesn't.

02

Data Security & Privacy

Protect sensitive fields with value-level encryption. CipherStash never sees your keys or plaintext. A breach yields ciphertext, nothing useful.

03

Cryptographic Multitenancy

Provision a keyset per customer. Each tenant's records are encrypted under keys derived from their identity. Provable isolation at the encryption layer.

04

Access Intelligence

Every access event logged: who, what, when, and how. Continuous assurance, not point-in-time snapshots.

05

Data Sovereignty

Keys in your region. Data in your database. Dual-party key splits for government and high-security requirements. Control that survives a cloud provider incident.

Code is rewritable.
Ciphertext
isn't.

Integrate CipherStash into your stack and encrypt your first fields in 15 minutes. Or talk to our team about production architecture.

VIEW DOCS