Encryption at rest
2 min read
Overview
All customer data stored within the Unique Platform is encrypted at rest using industry-standard AES-256 encryption. Unique uses Customer-Managed Keys (CMK) backed by Hardware Security Modules (HSM) for every production tenant, meaning key material never leaves a certified HSM boundary and Unique has no standing access to your encryption keys.
Encryption is applied uniformly across all persistent data stores like databases and blob storages, with each service type protected by its own isolated key.
Key Principles
Customer data is encrypted at rest at all times
Keys are HSM-backed, customer-managed, and isolated per service
No encryption key is shared across workload types or tenants
Encrypted Services
Encryption is applied uniformly across all persistent data stores. Each service type is protected by its own dedicated, isolated key.
Service / Data Store | Encryption Method | Key Strength | Key Management |
|---|---|---|---|
PostgreSQL Database | AES-256 | RSA-HSM 2048-bit CMK | Customer-Managed Key (Azure Key Vault HSM) |
Blob / Object Storage | AES-256 | RSA-HSM 2048-bit CMK | Customer-Managed Key (Azure Key Vault HSM) |
Encryption Key Material | FIPS 140-3 Level 3 HSM-backed | RSA 2048-bit | Azure Key Vault Premium (HSM) |
Architectural overview: Security Architecture - Single-tenant Chat.
References
Key Management
Encryption keys are managed exclusively through Azure Key Vault Premium, which enforces hardware-backed key storage and provides a full audit trail for every key operation.
Control | Details |
|---|---|
Key Vault SKU | Azure Key Vault Premium. |
HSM Standard | FIPS 140-3 Level 3: key material is generated and stored inside certified hardware security modules. |
Access Model | Azure RBAC: each service uses a dedicated Managed Identity for access. |
Key Isolation | One CMK per service type. No shared key material across workloads. |
Purge Protection | Enabled on all Key Vaults. 30-day soft-delete retention prevents accidental or malicious key deletion. |
Audit Logging | Diagnostic audit events are streamed from all Key Vaults. Every key operation is logged. |
Key Rotation | Supported via infrastructure automation, designed for zero-downtime rotation. |
References
Tenant & Key Isolation
Each tenant deployment provisions its own pair of Azure Key Vaults:
A Standard vault for operational secrets
A Premium (HSM-backed) vault exclusively for CMKs
Service identities are scoped to the minimum required role and can only access the keys they were explicitly assigned. There is no cross-tenant key access.
Operational Safeguards
Purge protection is enabled on all Key Vaults, preventing immediate deletion of keys or the vault itself even by privileged administrators.
A mandatory 30-day soft-delete retention period ensures keys can be recovered after accidental deletion.
All Key Vault operations emit diagnostic audit events retained for compliance review.
Key rotation is supported through infrastructure automation; the rotation process is designed to avoid service disruption.
Access is granted exclusively via Azure RBAC. There are no shared secrets or direct key access by human operators in steady state.
Standards Alignment
Framework | Relevant Control |
|---|---|
ISO/IEC 27001 | A.10.1 Cryptographic controls |
SOC 2 Type II | CC6.1 Logical and physical access controls; CC6.7 Encryption |
NIST SP 800-57 | Key generation, storage, rotation, and destruction lifecycle |
GDPR / nDSG | Technical and organisational measures for data protection |
FINMA Circular 2023/1 | Operational risks and resilience for financial institutions |