Loading…

Encryption

Security

Every byte that flows through Spalce is encrypted in transit and at rest. This guide describes the algorithms we use, where the keys live, and how you can verify our claims independently. For the corresponding compliance framework mapping, see the Compliance article.

In transit

All public endpoints terminate TLS 1.2 or 1.3. We disable everything older. Certificates are issued by Let's Encrypt for managed endpoints and pinned per-customer for self-hosted deployments. HSTS is on by default with a one-year max-age, includeSubDomains, and preload.

bash

# Verify TLS posture for any Spalce endpoint
nmap --script ssl-enum-ciphers -p 443 api.spalce.dev
# You should see only TLSv1.2 and TLSv1.3 cipher suites listed.

At rest

Object storage, database storage, and snapshots are encrypted with AES-256-GCM. Database column-level encryption is applied to PII fields — email, phone, government identifiers — using envelope encryption with a per-tenant data key wrapped by a customer-master key in your KMS of choice.

Note

We support AWS KMS, GCP Cloud KMS, Azure Key Vault, and HashiCorp Vault as customer-master-key providers.

Envelope encryption flow

We never decrypt with a customer-master key directly. Instead we use envelope encryption: a per-tenant data encryption key (DEK) is generated locally, used to encrypt the payload, and the DEK itself is encrypted with your customer-master key (CMK). The encrypted DEK is stored next to the ciphertext, and the plaintext DEK lives only in process memory for the lifetime of the operation.

// Conceptual flow — production uses a hardened library, not raw crypto
const dek = crypto.randomBytes(32);
const ciphertext = aesGcmEncrypt(plaintext, dek);
const wrappedDek = await kms.encrypt({ KeyId: cmkArn, Plaintext: dek });

await db.write({
  ciphertext,
  wrapped_dek: wrappedDek.CiphertextBlob,
  kms_key_id: cmkArn,
});

Key rotation

Customer-master keys rotate annually by default, or on demand. Data encryption keys are ephemeral — a new DEK is minted for every record. To re-encrypt historical data under a new CMK, trigger a rewrap job from the dashboard. The job runs in the background, reports progress, and is safe to run during normal traffic.

TLS 1.2 / 1.3 with modern cipher suites and HSTS preload.
AES-256-GCM for storage, with per-tenant data keys.
Envelope encryption rooted in your KMS, not ours.
Annual rotation by default, on-demand rewrap available.
Independent audit reports available under NDA via the dashboard.

Have a question this didn't answer?

Talk to an engineer. We respond within one business day.

Contact Support