Data encryption overview

In transit, at rest, and the key-management story.

3 min read•Updated March 11, 2026

All customer data is encrypted in transit and at rest, using industry-standard primitives.

In transit

TLS 1.3 on every edge. Public endpoints support only TLS 1.2+ ciphers. Internal service-to-service traffic uses mTLS inside our VPC.

At rest

AES-256-GCM for all customer data in primary storage. Backups use the same cipher with distinct per-backup keys.

Key management

Keys live in AWS KMS. Envelope encryption: a workspace-specific DEK (data encryption key) is generated on workspace creation and wrapped by a CMK (customer master key) held in KMS. We never see plaintext DEKs outside of live request processing.

Customer-managed keys

Scale customers can bring their own CMK (BYOK) rooted in their own AWS or GCP KMS. Available on the Enterprise tier of Scale.

What's not encrypted

Metadata needed for routing (workspace ID, user ID, integration type). This is never PII and never customer payload.

SSO (SAML) setup

Get started

Didn't answer your question?

Email support@omestasystems.com. A human replies in under 2 hours.

Contact support More Security & access articles

Omesta