Skip to content
TruthVouch Docs

Data Handling and Encryption

TruthVouch uses industry-standard encryption and key management to protect your data throughout its lifecycle.

Encryption at Rest

Algorithm: AES-256 (FIPS 140-2 approved) Key Length: 256-bit keys Storage: Encrypted database volumes (AWS EBS encryption) Backups: AES-256 encrypted with separate keys

What’s Encrypted

  • User data: Truth nuggets, knowledge base
  • Audit logs: Complete request/response history
  • API keys: Scoped credentials
  • Backups: All backup copies encrypted
  • Everything except non-sensitive metadata

Key Rotation

  • Frequency: Automatic monthly rotation
  • Old Keys: Retained for 90 days (data re-encryption)
  • HSM: All keys stored in AWS CloudHSM (never on disk)

Encryption in Transit

Protocol: TLS 1.3 (HTTPS everywhere) Certificate: Wildcard certificate, auto-renewed Pinning: Optional certificate pinning for Enterprise

All communication encrypted:

  • API calls (REST)
  • WebSocket (real-time updates)
  • Webhooks (outbound)

Key Management

Hardware Security Module (AWS CloudHSM):

  • Keys never leave the HSM
  • MFA required for key access
  • Geographic redundancy
  • Annual security audits

Access Control:

  • Role-based access to encryption keys
  • Least privilege principle
  • All key operations logged
  • Automatic lockdown on suspicious activity

Data Classification

Different data types encrypted differently:

Data TypeEncryptionKey RotationRetention
Sensitive (PII, API keys)AES-256 + HSMMonthly7 years
User Data (truth nuggets)AES-256MonthlyIndefinite
Audit LogsAES-256 + Hash ChainMonthly7 years
MetadataAES-128QuarterlyIndefinite

Data Residency

Choose where your data is stored:

  • US: AWS us-east-1 (Virginia)
  • EU: AWS eu-west-1 (Ireland) — GDPR compliant
  • Custom: Your own AWS account (Enterprise)
  • On-Premises: Self-hosted (Enterprise)

Data never leaves chosen region.

Deletion

When you request deletion:

  1. Data marked for deletion in database
  2. Deleted from live systems within 24 hours
  3. Removed from backups within 30 days
  4. Removed from long-term archives within 90 days
  5. Cryptographic erasure (keys destroyed) after retention period

Deletion is permanent and irreversible.

Compliance

  • FIPS 140-2: Cryptographic standards
  • NIST: AES-256 approved by NIST
  • GDPR: Encryption required for data protection
  • SOC 2: Encryption as part of system controls
  • HIPAA: Encryption for healthcare data

Next Steps

  • Multi-Tenancy: Learn about data isolation
  • Key Management: Understand key rotation and backups
  • Deletion: Learn about data deletion procedures