Encryption

Last updated: 2026-04-11 • ← Security program

Backbuild encrypts customer data in transit and at rest using NIST-approved algorithms. Cryptographic choices are reviewed on a scheduled basis against current industry guidance and deprecations.

Data in transit

• TLS 1.2 and TLS 1.3: all public endpoints require TLS; TLS 1.3 is preferred when supported by the client. TLS 1.0 and TLS 1.1 are disabled.
• HSTS: HTTP Strict Transport Security is enforced with a long max-age and the includeSubDomains directive.
• Edge termination: TLS is terminated at the Cloudflare global edge network. Cloudflare manages certificate issuance and renewal through automated processes.
• Service-to-service: internal service calls traverse authenticated, encrypted channels; unencrypted protocols are not used for customer data.
• Forward secrecy: cipher suites with forward secrecy are preferred and legacy ciphers are disabled.

Data at rest

• Customer data: encrypted at rest using AES-256-GCM within the managed database cluster and object storage.
• Integration secrets: customer-supplied credentials, API keys, OAuth tokens, and other sensitive integration material are encrypted with AES-256-GCM using versioned data encryption keys.
• Backups: all database and object storage backups are encrypted at rest with the same standard as primary storage.
• Logs and audit trails: stored in encrypted storage with access restricted to authorized operators.

Key management

• Storage: encryption keys are stored in the Cloudflare secrets store. Application code reads keys at request time and never writes them to disk.
• Rotation: keys are rotated on a documented schedule — at minimum quarterly, and immediately upon any suspected compromise. The rotation procedure is maintained in an internal runbook.
• Versioning: the integration secret encryption scheme supports multiple concurrent key versions, enabling non-disruptive key rotation. Each ciphertext is tagged with the key version used to encrypt it.
• Access: access to key material is restricted to a small number of authorized personnel, logged, and reviewed on a recurring basis.
• Destruction: retired keys are securely destroyed once no ciphertext remains that depends on them.

Cryptographic standards

• Hashing: SHA-256 and stronger only. SHA-1 and MD5 are not used for security purposes.
• Symmetric encryption: AES-256-GCM for authenticated encryption.
• Asymmetric encryption and signatures: RSA 2048+ and ECDSA on NIST P-256 or stronger curves; Ed25519 where supported.
• Password hashing: modern, memory-hard algorithms with salts; fast hashes such as MD5 or plain SHA are never used for credentials.
• Random number generation: cryptographically secure generators provided by the runtime; no user-space pseudo-random generators for security-sensitive values.
• Deprecated algorithms are removed on a schedule aligned with NIST guidance.

Customer-managed keys

Customer-managed encryption keys (CMEK) and bring-your-own-key (BYOK) are not currently supported. This is a roadmap item driven by enterprise customer demand. Customers with specific key management requirements should contact the security team to discuss timelines and available interim controls.