Bryt Data Encryption Overview
Databases at Rest
To encrypt Bryt customer databases (each customer has their own database) at rest we use Azure’s TDE or ‘Transparent Database Encryption.’ Azure’s description of the process is outlined below (note that our Database Encryption Keys (DEK) for at rest encryption are managed by Azure.
“TDE performs real-time I/O encryption and decryption of the data at the page level. Each page is decrypted when it's read into memory and then encrypted before being written to disk. TDE encrypts the storage of an entire database by using a symmetric key called the Database Encryption Key (DEK)”
Data In Transit to/from the Webserver (Both Are in Azure)
Azure SQL enforces all communication between the database and the webserver to use SSL/TLS encryption within the datacenter(s). In addition to this Bryt uses ‘Column Level Encryption’ for columns with sensitive information, like tax id numbers. Encrypted columns are only decrypted when the data is needed and is done on the webserver prior to being sent to the client. Note that Bryt does not store any banking information for use with ACH transactions. We only store an access token, last four digits of the account and the bank name. The token represents an account that is used with our 3rd party provider to make ACH transfers.
Data in Transit to/from the Browser
Bryt re-directs all unsecure requests (http://) to secure endpoints (https://) for both web requests and API requests. There is no non-SSL access to any point in Bryt or any subdomains or custom domains used by` customers. Therefore, all data sent to and received from the browser is encrypted using SSL.
Database Password and Column Encryption Key Rotation
On a semi-annual basis (6 months) the keys and passwords required to access the databases from the webserver and decrypt columns are rotated/changed.
Bryt Data Backup Overview
All databases have the 35 day ‘point in time’ recovery option. This means that the state of a database can be returned to any state within the last 35 days at a given time. Additionally, the databases are locally redundant, meaning there are secondary copies within the local region (different datacenter in the same Azure Region)
Additional options are available, such as increasing the point in time recovery as well as long term backups (i.e., each month a backup is stored for a year) as well as geo-redundancy (multi-Azure Region copies). Please contact us if you have additional backup requirements beyond the standard provided.
All uploaded files are stored in Azure Blob storage. This does not include generated documents (these are in the database). Uploaded files are stored geo-redundant by default in both Azure West and Azure East datacenters.