Encryption in transit and at rest
TLS 1.2+ on every edge. AES-256-GCM on everything persisted.
- Automated certificate rotation on inbound and outbound edges.
- AES-256-GCM at rest on prompts, completions, embeddings, and logs.
- Key encryption keys stored in a hardware-backed KMS boundary.
- Customer-managed keys (CMK / BYOK) available on enterprise agreements.