What this standard answers
- Where encryption is required in transit and at rest
- Which key-management controls are required
- How exceptions are reviewed and approved
Current state (as of March 5, 2026)
The encryption and key-management requirements on this page are active in hosted production systems.Scope
Applies to production systems, data stores, backups, service-to-service paths, and secrets handling.Encryption requirements
| Area | Requirement |
|---|---|
| Data in transit | TLS is required for external API and service traffic |
| Data at rest | Cloud-provider encryption controls are required for databases, storage, and backups |
| Secrets | Managed secret systems are required; secrets are not stored in source code |
Key-management requirements
| Area | Requirement |
|---|---|
| Key services | Cloud key-management services |
| Access control | Least-privilege IAM and RBAC for key and secret administration |
| Rotation | Key lifecycle follows cloud-provider rotation and lifecycle controls |
| Credential lifecycle | Integration credentials are rotatable and revocable |
| Visibility | Key and encryption events are available through logging and monitoring paths |