LinkedIn tracking pixel

§ 00·0x00/SECURITY / TRUST

Encrypted at rest is the floor. We encrypt in use.

Your data stays encrypted inside the database, even while your app is querying it. This page answers the questions your security review will ask, starting with the checkboxes.

§ 01·0x01/AT REST / IN TRANSIT / IN USE

Encryption at rest, in transit, and in use.

01

At rest

The floor. Every Postgres provider encrypts disks and backups. CipherStash goes further: what lands on disk is already ciphertext at the field level.

02

In transit

Table stakes. TLS protects data in motion. Encrypted fields stay encrypted inside the tunnel, so a logged request exposes only ciphertext.

03

In use

The part that is new. Your database stores, indexes, and searches ciphertext. No hardware enclave required. Decryption happens in your app, only under policy, and every decryption is logged.

§ 02·0x02/SECURITY QUESTIONNAIRE

The answers your reviewer is looking for.

Straight answers to the questions that appear on every security questionnaire. For the long-form versions, SOC 2 reports, and penetration test summaries, head to the Trust Center.

Is data encrypted at rest?

Yes, twice over. Provider-level storage encryption applies as usual. Fields protected by CipherStash are stored as ciphertext, so the database contains no plaintext to expose.

Is data encrypted in transit?

Yes. All connections use TLS, and CipherStash-protected fields remain ciphertext within the tunnel.

Is data encrypted in use?

Yes, in the database: queries run over ciphertext and the datastore never holds plaintext. Your application decrypts only the values the requesting identity is authorized to see.

Who can decrypt?

Only identities granted access by policy, per value. Admins and operators see ciphertext unless they also carry the right identity. Every decryption is written to a cryptographic audit trail.

Where are the keys?

Nowhere at rest. ZeroKMS derives a unique key per value on demand and never stores it. CipherStash never sees your plaintext.

What certifications do you hold?

CipherStash is SOC 2 Type II certified. Reports, penetration test summaries, and completed questionnaires are available in the Trust Center under NDA.

§ 03·0x03/GO DEEPER

For the reviewers who read the architecture.

The guarantees above are structural, not procedural. ZeroKMS derives a unique key per value, on demand, with identity and policy in every derivation. Read the deep dive, or request the whitepaper.