A database dump exposes nothing.
Every user's personal data is encrypted at rest with per-tenant keys that never touch the database. A leaked storage credential or a stolen backup yields ciphertext — not emails, not names, not phone numbers.
How it works
- Encryption happens outside the database. Values are encrypted and decrypted through HashiCorp Vault Transit — the application never holds the key material, and the database never sees a key.
- Every tenant has its own key. Deleting a tenant crypto-shreds its key, making all of that tenant's data permanently unrecoverable — no row-by-row erasure required.
- Randomized AES-256-GCM protects each value, so identical inputs never produce identical ciphertext.
Encrypted, and still searchable
Encryption usually means giving up search. It doesn't here. Alongside each encrypted value we store keyed-HMAC "blind index" tokens — so login-by-email, admin search-by-name, and "everyone at acme.com" all work as exact and prefix lookups over data that is never stored in the clear. The index keys are HMACs too: a dump of the index tables reveals nothing either.
What's protected
Email addresses, first and last names, phone numbers, company names, and any custom attributes you store — all encrypted at rest. Passwords were never stored reversibly (they are one-way hashed with a modern KDF). Role assignments, opaque IDs, and timestamps are not personal data and are left in the clear so the system stays operable.
The threat we designed against
The scenario is a leaked storage credential or an exposed backup — someone gets a raw copy of the tables. Transparent disk-level encryption (customer-managed keys) does not help there: it decrypts automatically for anything that can read the store, so a dump comes out in plaintext. Application-level encryption does help — the keys live in Vault, isolated from the data, so a copy of the tables is a copy of ciphertext.
In transit, too
Data is encrypted in transit (TLS 1.2+) as well as at rest. We're glad to walk enterprise customers through our security controls under NDA.
Reporting a vulnerability
Found something? Email [email protected]. Our machine-readable contact is published at /.well-known/security.txt.