Using EdgeBit, your customers can bring their own encryption key (BYOK) to your SaaS without having to give up full control. The encryption key can only be accessed within the EdgeBit Security Engine running in your cloud account. This means that none of your employees can read the plaintext of the key.

EdgeBit never has control over the key or can read the plaintext — the key is 100% confined to the secure enclave inside the Security Engine

Privacy-centric customers in the Fortune 500 are interested in how you secure their data, which goes beyond your compliance reports. Using EdgeBit for your SaaS provides verifiable security for their powerful API tokens, file uploads, controlled PII/GDPR data, and any other sensitive item.

Security-centric customers like FinTech and identity providers desire protection for their data being compromised by insider threats and data breaches. EdgeBit gives your company assurances that can be verified and proved to your customers and their auditors.

EdgeBit emits a trusted and tamper-proof audit log of customer data being accessed. This is exposed in the EdgeBit dashboard and can be embedded in your SaaS software as well.

As a third party, EdgeBit is a trusted source of data activity for your customer's auditors and provides an important forensic tool during security incidents.

EdgeBit enforces protection for sensitive data, so that it can never leave unless specifically allowed. Data inserted, processed or decrypted can never be read by an attacker.

This protection starts in the hardware with isolated RAM, dedicated CPU cores, reduced default networking and Trusted Platform Modules (TPM), all powered by AWS Nitro Enclaves.

EdgeBit adds additional network policy that is embedded into the Security Engine, so it can't be relaxed or removed.

An enclave fulfills the exact definition of privacy: being free from observation or disruption by others. Even a hostile parent machine can't introspect the enclave or modify its operating parameters.

Enclaves are the perfect environment to decrypt and process sensitive data of any sort. This can be long-lived like a complete microservice or short per-request workflows.

EdgeBit manages per-tenant encryption keys automatically. All you need to do is call encrypt() — the correct encryption key is selected or created as needed.

When your customers opt to bring their own key, we will start using it immediately without interruption. Existing data will be "re-keyed" with the customer's key without having to re-process the data, due to our primary key → secondary key → data key structure.

Encryption key access policies are tied to the secure enclave's attestation which guarantees that only trusted code can fetch the key.