# Data Encryption and Protection ### Data Encryption and Protection CertiNext implements a comprehensive **data encryption and protection model** to safeguard sensitive information across its entire lifecycle—at rest, in transit, and during processing. The design aligns with enterprise security expectations and regulatory requirements, ensuring confidentiality, integrity, and controlled access to customer data in both SaaS and on-premises deployments. *** #### Encryption of Data at Rest All sensitive data stored by CertiNext is **encrypted at rest** at the database layer. This includes, but is not limited to: * Personally identifiable information (PII) * Certificate metadata and lifecycle records * Audit logs and operational data * Configuration data associated with certificate management Encryption at rest ensures that data remains protected even in the unlikely event of unauthorized access to storage systems. Where supported, CertiNext uses strong, industry-standard encryption algorithms consistent with modern security best practices. *** #### Customer Key Control (BYOK) In deployment models where **Bring Your Own Key (BYOK)** is enabled: * Customer data is encrypted using **customer-provided encryption keys** * Customers retain control over key ownership and lifecycle * Encryption keys are logically isolated per customer This model provides additional assurance for organizations with strict data sovereignty, regulatory, or internal security requirements. *** #### Encryption of Data in Transit All data transmitted between: * Users and the CertiNext UI * APIs and automation clients * Bots and the CertiNext platform * Integrated systems and services is protected using **TLS 1.2 or higher**. This ensures confidentiality and integrity of data during transmission and protects against interception, tampering, or downgrade attacks. *** #### Key Management and Protection Cryptographic keys used for encryption are: * Generated and stored securely * Access-controlled based on least-privilege principles * Protected using hardened key management practices In SaaS deployments, keys are managed using **FIPS 140-2 Level 3 compliant HSMs** operated within secure data centers. In on-prem deployments, key management aligns with the customer’s chosen HSM or key management infrastructure. *** #### Application-Level Data Protection CertiNext’s application architecture further strengthens data protection by: * Avoiding persistence of customer data at the application layer * Ensuring all sensitive data is stored only in the secured data layer * Enforcing strict access controls before any data is retrieved or modified This minimizes the attack surface and simplifies recovery and audit processes. *** #### Access Controls and Segregation Encryption is complemented by strong access controls: * Role-based access control (RBAC) within the application * Least-privilege access for platform and operational users * Logical tenant isolation in SaaS deployments * Optional database-level isolation per customer Only authorized users and services can access decrypted data, and all access is logged for audit purposes. *** #### Monitoring, Auditing, and Compliance CertiNext continuously monitors data access and usage patterns and maintains: * Detailed audit logs for all data-related operations * Alerts for abnormal or unauthorized access attempts * Evidence to support security audits and compliance reviews These controls support alignment with frameworks such as ISO 27001, SOC 2, and other enterprise security requirements. *** #### Summary Data encryption and protection in CertiNext are implemented as **foundational security controls**, not optional features. By combining encryption at rest, encryption in transit, strong key management, access governance, and continuous monitoring, CertiNext ensures that customer data remains protected throughout its lifecycle—across deployments, environments, and operational scenarios. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.certinext.io/documentation/security-architecture/data-encryption-and-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.