Encryption
Your data is encrypted so only you can read it. Not us, not the DBA, not someone with a backup tape.
Key generation
Your X25519 keypair is generated on your device. Only the public key reaches the server during registration. The private key never leaves.
How it works
Every record is encrypted on its own:
- We generate a random encryption key for the record.
- The data gets encrypted with that key (AES-256-GCM).
- The key itself is encrypted with your wrapping key.
- Only the encrypted blob is stored.
The wrapping key is derived from your private key and only lives in server memory while you have an active session. When the session ends, it’s gone.
What’s protected
| Your data | Encrypted? |
|---|---|
| Workflow definitions (URLs, logic, schemas) | Yes |
| Run event data (request/response bodies) | Yes |
| Run results | Yes |
| Secret values (API keys, tokens) | Yes |
| Run status, timestamps | No — the dashboard needs these |
| Step execution status | No — the engine needs these |
Metadata like “run started” or “step completed” is visible for monitoring. The actual payloads inside those events are always encrypted.
What that means for you
- Database backups can’t be decrypted — they’re useless without your key.
- We can’t see your workflow definitions or API responses. Neither can anyone we hire.
- Other tenants can’t touch your data. Every tenant has its own encryption key.
- Your data is only readable while you have an active session.
Key rotation
If you need to rotate your encryption key, we re-wrap all your data with the new key without ever decrypting the underlying data. Ask your admin to kick it off.
If you lose your private key
Your data is permanently inaccessible. No master key, no recovery, no backdoor. That’s the whole point of zero-knowledge — if we had a way in, so would everyone else.
Back up your key somewhere you trust.