Encryption
Table of contents Show Hide
Everything is encrypted
All customer data in GoSmarter is encrypted: both when stored and when moving between services. Encryption is enforced at the platform level and cannot be bypassed.
Encryption in transit
All network communication uses TLS 1.2 or higher. This is enforced on every service:
| Service | TLS enforcement |
|---|---|
| Database | Minimum TLS 1.2 enforced at server level |
| Files | Minimum TLS 1.2; HTTPS-only (HTTP rejected) |
| Messaging | Minimum TLS 1.2 |
| API ingress | HTTPS only; insecure connections rejected |
| Frontend | HTTPS by default via Azure-managed certificates |
| AI services | HTTPS only via Azure platform |
Traffic between Azure services within the same region travels over Microsoft’s backbone network, encrypted in transit.
AI processing traffic: When mill certificates are sent to AI services in Sweden Central, the data travels over TLS-encrypted connections between Azure datacentres.
Encryption at rest
All data at rest is encrypted with AES-256:
| Service | Encryption method |
|---|---|
| Database | Transparent Data Encryption (TDE) — enabled by default |
| Files | Storage Service Encryption (SSE) — AES-256 |
| Key Vault | Hardware-backed encryption |
| Messaging | Platform encryption at rest |
Key management
Encryption keys are managed by Microsoft (platform-managed keys). This means:
- Keys are automatically rotated by the Azure platform
- Keys are stored in Microsoft-managed hardware security modules
- No manual key management is required
We do not currently offer customer-managed keys (BYOK/CMK). All encryption uses platform-managed keys.
Key points for your security team
- TLS 1.2 minimum: Enforced on all services: database, storage, messaging, API, AI
- AES-256 at rest: All persistent storage encrypted with AES-256
- HTTPS only: HTTP connections rejected on storage and API ingress
- Platform-managed keys: Automatically rotated by Azure
- No BYOK/CMK: Customer-managed keys are not currently available