We've implemented SOC 2-grade encryption for all sensitive customer data using Google Cloud Key Management Service (KMS) and envelope encryption.

Envelope Encryption Architecture

Instead of encrypting data directly with KMS (which has rate limits, extra costs and latency associated), we generate a unique Data Encryption Key (DEK) per tenant/organization. The DEK encrypts customer data locally using AES-256-GCM, while KMS encrypts only the DEK itself. This gives us the security of managed keys with the performance of local encryption.

Field-Level Encryption

Sensitive data like access keys, signing keys, client secrets, temporary session identifiers, API keys, files, headers, environment variables, SAML configurations, MCP server credentials, and information of similar sensitivity are now all encrypted at the application layer. Even with full database access, an attacker would need both database credentials and KMS decrypt permissions to access plaintext data.

This puts us on track for SOC 2 compliance while maintaining sub-10ms encryption overhead for API requests.

If you have any questions, please don't hesitate to each out to me at erik@gatana.ai