# Encryption

> GoSmarter encrypts all data at rest with AES-256 and in transit with TLS 1.2+ - across database, storage, messaging, and AI services.

**URL:** https://www.gosmarter.ai/docs/content/encryption/

**Date:** 0001-01-01

---


## Everything is encrypted

All customer data in GoSmarter is encrypted: both when stored and when moving between services. Encryption is enforced at the platform level and cannot be bypassed.

### Encryption in transit

All network communication uses **TLS 1.2 or higher**. This is enforced on every service:

| Service | TLS enforcement |
|---------|----------------|
| Database | Minimum TLS 1.2 enforced at server level |
| Files | Minimum TLS 1.2; HTTPS-only (HTTP rejected) |
| Messaging | Minimum TLS 1.2 |
| API ingress | HTTPS only; insecure connections rejected |
| Frontend | HTTPS by default via Azure-managed certificates |
| AI services | HTTPS only via Azure platform |

Traffic between Azure services within the same region travels over Microsoft's backbone network, encrypted in transit.

**AI processing traffic**: When mill certificates are sent to AI services in Sweden Central, the data travels over TLS-encrypted connections between Azure datacentres.

### Encryption at rest

All data at rest is encrypted with **AES-256**:

| Service | Encryption method |
|---------|------------------|
| Database | Transparent Data Encryption (TDE) — enabled by default |
| Files | Storage Service Encryption (SSE) — AES-256 |
| Key Vault | Hardware-backed encryption |
| Messaging | Platform encryption at rest |

### Key management

Encryption keys are **managed by Microsoft** (platform-managed keys). This means:

- Keys are automatically rotated by the Azure platform
- Keys are stored in Microsoft-managed hardware security modules
- No manual key management is required

We do not currently offer customer-managed keys (BYOK/CMK). All encryption uses platform-managed keys.

### Key points for your security team

- **TLS 1.2 minimum**: Enforced on all services: database, storage, messaging, API, AI
- **AES-256 at rest**: All persistent storage encrypted with AES-256
- **HTTPS only**: HTTP connections rejected on storage and API ingress
- **Platform-managed keys**: Automatically rotated by Azure
- **No BYOK/CMK**: Customer-managed keys are not currently available

### Request evidence

[Email us](mailto:talktous@gosmarter.ai), [contact us online](https://gosmarter.ai/contact), or [book a compliance call](https://calendly.com/gosmarter-demo).