Encryption
All data in the Ventryx platform is encrypted in transit and at rest using industry-standard algorithms. Encryption is not optional — it is always on for every organization, at every tier.
Encryption in transit
All communication with the Ventryx API is encrypted using TLS 1.2 or higher. TLS 1.0 and 1.1 are not supported. HTTP requests are rejected — all traffic must use HTTPS.
| Protocol | Support |
|---|---|
| TLS 1.3 | Preferred |
| TLS 1.2 | Supported |
| TLS 1.1 / 1.0 | Not supported |
| HTTP (unencrypted) | Rejected |
Cipher suites are restricted to those with forward secrecy (ECDHE key exchange). Certificates are issued by a trusted CA and auto-renewed via ACME.
Encryption at rest
All stored data — event payloads, workflow state, API key hashes, audit logs, and analytics data — is encrypted at rest using AES-256 with unique per-customer data keys managed by a hardware-backed KMS.
API keys are stored as salted bcrypt hashes. The plaintext key value is never written to disk. If you lose an API key, it cannot be recovered — you must create a new one.
Customer-managed encryption keys (CMEK)
Enterprise organizations can bring their own encryption keys via CMEK integration with AWS KMS or Google Cloud KMS. When CMEK is active:
- Your KMS key is used to wrap the per-customer data encryption key
- Revoking your KMS key immediately renders all stored data inaccessible
- You retain full control over key rotation policy and lifecycle
Contact sales to enable CMEK for your organization.
Key management
Ventryx uses a tiered key hierarchy:
- Master key — stored in a hardware security module (HSM), never leaves the HSM
- Data encryption key (DEK) — unique per organization, encrypted with the master key
- Record-level keys — derived per storage partition for additional isolation