Cryptography and Data Protection

while the hybrid control plane ensures logical and physical isolation, cryptography provides the mathematical guarantee that your data remains unreadable to unauthorized parties going deeper than the architectural boundaries discussed in the previous section, this layer ensures that data is protected by rigorous encryption standards whether it is sitting still, moving across the network, or being processed within a workflow enforced encryption standards tavio mandates strict cryptographic protocols at the infrastructure level these settings are enforced globally and cannot be disabled by users encryption at rest (aes 256) all persistent data stored within the platform is encrypted using aes 256 algorithms this blanket protection applies to every layer of persistence, including file storage documents and temporary files in s3 buckets databases transaction logs, execution history, and configuration metadata temporary states data buffered in memory during complex workflow executions encryption in transit (tls 1 3) all data moving in and out of the platform—whether it is an api call, a file transfer, or a user logging into the console—utilizes tls 1 3 this ensures that traffic is protected against interception and tampering using the most modern and secure cryptographic protocols available the credential vault (locker service) handling authentication credentials for third party systems is one of the highest risk aspects of integration tavio manages this via the locker service, a dedicated infrastructure component designed solely for secret management zero plaintext user credentials, api keys, and certificates are never stored in plaintext they are encrypted immediately upon entry and stored in a high availability vault access control access to these secrets is governed by strict access control rules, ensuring that only authorized services—specifically the worker executable which is running the integration—can retrieve them at runtime split knowledge security the vault itself is protected by master keys that require split knowledge to unlock no single administrator holds the full key; parts of the key are distributed among stakeholders, and they must be physically recombined to unlock the vault in emergency "break glass" scenarios payload encryption while the platform encrypts the pipe and the storage, specific business requirements may demand that the payload itself be encrypted before it leaves the environment tavio provides developers with tools to implement field level or file level encryption within their workflows pgp/gpg nodes the platform includes native support for gpg operations developers can use specific workflow nodes to encrypt sensitive files or text strings using a public key before transmission, or decrypt incoming payloads using a private key stored in the credential vault binary & text support these tools support both raw text input and file uploads, allowing you to secure everything from a single ssn field via one way sha256 encryption to a bulk csv export before it is handed off to an external sftp server or api