Encryption & Key Management
- Executive Summary
- Working Knowledge
- Technical Spec
Protecting Data at Every Layer
Encryption is the most fundamental security control and typically the first item on any enterprise security questionnaire. ReGenesis encrypts all data in transit using TLS 1.2/1.3 and all data at rest using AES-256 encryption. This means that even if an attacker gains physical access to a hard drive or intercepts network traffic, the data is unreadable without the encryption keys.
Key management -- how encryption keys are created, stored, rotated, and destroyed -- is equally critical. ReGenesis uses AWS Key Management Service (KMS) as the foundation, with per-tenant encryption keys planned for GA and Bring Your Own Key (BYOK) capability for high-security clients who want to control their own keys. Field-level encryption provides an additional layer of protection for the most sensitive data: coaching transcripts, AI-generated psychological insights, and private coaching notes are encrypted individually so that database access alone is insufficient to read them.
McKinsey specifically requires encryption at rest and in transit as a baseline vendor security requirement. The ReGenesis encryption architecture exceeds this baseline by adding field-level encryption, per-tenant key isolation, and hardware-backed key storage through AWS KMS -- matching the security posture that McKinsey maintains for their own internal platforms.
Encryption in Plain Language
Encryption in Transit (TLS)
Every time data moves between a user's browser and the ReGenesis servers, it travels through an encrypted tunnel. This is the "lock icon" in the browser address bar.
| Aspect | Implementation |
|---|---|
| Protocol | TLS 1.2 minimum, TLS 1.3 preferred |
| Certificate | AWS Certificate Manager (ACM) with auto-renewal |
| Cipher Suites | Modern suites only (ECDHE for key exchange, AES-GCM for encryption) |
| HSTS | HTTP Strict Transport Security enabled (forces HTTPS) |
| Certificate Transparency | Enrolled in CT logs for monitoring |
| Internal Traffic | TLS between all internal services (no plaintext even inside VPC) |
Encryption at Rest (AES-256)
Every piece of data stored on disk -- databases, file storage, backups -- is encrypted using AES-256, the strongest widely-used encryption standard.
| Storage | Encryption Method | Key Source |
|---|---|---|
| PostgreSQL (RDS) | AES-256 via RDS encryption | AWS KMS |
| S3 Buckets | AES-256 via SSE-KMS | AWS KMS |
| DynamoDB | AES-256 via DynamoDB encryption | AWS KMS |
| ElastiCache (Redis) | AES-256 in-transit + at-rest | AWS KMS |
| EBS Volumes | AES-256 via EBS encryption | AWS KMS |
| Backups | Inherits source encryption | AWS KMS |
Field-Level Encryption
Some data is so sensitive that database-level encryption is not enough. Field-level encryption means individual fields within a database record are encrypted with separate keys before being stored. Even if someone has read access to the database, they cannot read these specific fields without the additional decryption key.
Fields that receive field-level encryption:
- Coaching session transcripts
- AI-generated psychological insights
- Private coaching notes (coach_only visibility)
- Personal reflections and journal entries
- Sensitive goal content (flagged by user)
Key Management Hierarchy
Key Rotation
Keys are rotated regularly to limit the impact of a potential key compromise:
| Key Type | Rotation Frequency | Method |
|---|---|---|
| KMS Master Keys | Annually (automatic) | AWS automatic rotation |
| Tenant Keys | Annually | Scheduled rotation with re-encryption |
| Data Encryption Keys (DEKs) | Per-use (envelope encryption) | New DEK per encryption operation |
| TLS Certificates | Before expiry (auto-renewal) | ACM automatic renewal |
| API Keys | Quarterly | Manual rotation with notification |
| Secrets (passwords, tokens) | Quarterly | AWS Secrets Manager auto-rotation |
BYOK (Bring Your Own Key)
For high-security clients who require key custody:
BYOK is targeted for GA release. In this model, the enterprise client generates their own encryption key and imports it into AWS KMS (or provides it via an external key store). This means:
- ReGenesis cannot access the organization's data without the organization's key
- The organization can revoke access at any time by disabling its key
- Full crypto-shredding is possible: delete the key, and all data is permanently unreadable
Mobile Device Encryption
| Platform | Key Storage | Encryption |
|---|---|---|
| iOS | Keychain Services (Secure Enclave backed) | AES-256 |
| Android | Android KeyStore (hardware-backed on supported devices) | AES-256 |
| Offline Cache | Encrypted local database (SQLCipher or equivalent) | AES-256 |