Data Encryption and Protection
Data Encryption and Protection
CertiNext implements a comprehensive data encryption and protection model to safeguard sensitive information across its entire lifecycle—at rest, in transit, and during processing. The design aligns with enterprise security expectations and regulatory requirements, ensuring confidentiality, integrity, and controlled access to customer data in both SaaS and on-premises deployments.
Encryption of Data at Rest
All sensitive data stored by CertiNext is encrypted at rest at the database layer. This includes, but is not limited to:
Personally identifiable information (PII)
Certificate metadata and lifecycle records
Audit logs and operational data
Configuration data associated with certificate management
Encryption at rest ensures that data remains protected even in the unlikely event of unauthorized access to storage systems.
Where supported, CertiNext uses strong, industry-standard encryption algorithms consistent with modern security best practices.
Customer Key Control (BYOK)
In deployment models where Bring Your Own Key (BYOK) is enabled:
Customer data is encrypted using customer-provided encryption keys
Customers retain control over key ownership and lifecycle
Encryption keys are logically isolated per customer
This model provides additional assurance for organizations with strict data sovereignty, regulatory, or internal security requirements.
Encryption of Data in Transit
All data transmitted between:
Users and the CertiNext UI
APIs and automation clients
Bots and the CertiNext platform
Integrated systems and services
is protected using TLS 1.2 or higher.
This ensures confidentiality and integrity of data during transmission and protects against interception, tampering, or downgrade attacks.
Key Management and Protection
Cryptographic keys used for encryption are:
Generated and stored securely
Access-controlled based on least-privilege principles
Protected using hardened key management practices
In SaaS deployments, keys are managed using FIPS 140-2 Level 3 compliant HSMs operated within secure data centers. In on-prem deployments, key management aligns with the customer’s chosen HSM or key management infrastructure.
Application-Level Data Protection
CertiNext’s application architecture further strengthens data protection by:
Avoiding persistence of customer data at the application layer
Ensuring all sensitive data is stored only in the secured data layer
Enforcing strict access controls before any data is retrieved or modified
This minimizes the attack surface and simplifies recovery and audit processes.
Access Controls and Segregation
Encryption is complemented by strong access controls:
Role-based access control (RBAC) within the application
Least-privilege access for platform and operational users
Logical tenant isolation in SaaS deployments
Optional database-level isolation per customer
Only authorized users and services can access decrypted data, and all access is logged for audit purposes.
Monitoring, Auditing, and Compliance
CertiNext continuously monitors data access and usage patterns and maintains:
Detailed audit logs for all data-related operations
Alerts for abnormal or unauthorized access attempts
Evidence to support security audits and compliance reviews
These controls support alignment with frameworks such as ISO 27001, SOC 2, and other enterprise security requirements.
Summary
Data encryption and protection in CertiNext are implemented as foundational security controls, not optional features. By combining encryption at rest, encryption in transit, strong key management, access governance, and continuous monitoring, CertiNext ensures that customer data remains protected throughout its lifecycle—across deployments, environments, and operational scenarios.
Last updated