> ## Documentation Index
> Fetch the complete documentation index at: https://adapt.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Encryption

> How Adapt encrypts your data at rest and in transit

All data in Adapt is encrypted using industry-standard encryption methods to protect your information.

## Encryption Overview

| Data State | Encryption Method         |
| ---------- | ------------------------- |
| In Transit | TLS 1.3                   |
| At Rest    | AES-256                   |
| Secrets    | AES-256 with per-org keys |

## Encryption in Transit

All data transmitted to and from Adapt is encrypted:

### TLS 1.3

* **Protocol**: TLS 1.3 (latest standard)
* **Cipher suites**: Modern, secure algorithms only
* **Certificate**: Issued by trusted certificate authority
* **HSTS**: Strict transport security enforced

### API Connections

```
Your Browser ←→ TLS 1.3 ←→ Adapt
Your Integrations ←→ TLS 1.3 ←→ Adapt
Adapt ←→ TLS 1.3 ←→ Third-party APIs
```

All external connections use encrypted channels.

## Encryption at Rest

All stored data is encrypted:

### Database Encryption

* **Algorithm**: AES-256
* **Key management**: Google Cloud KMS
* **Scope**: All database fields, including backups

### File Storage

* **Algorithm**: AES-256
* **Service**: Google Cloud Storage with default encryption
* **Additional**: Server-side encryption enabled

### Backup Encryption

* **Database backups**: Encrypted with same keys
* **Retention**: Encrypted throughout lifecycle
* **Deletion**: Secure, cryptographic erasure

## Secret Encryption

Integration credentials receive additional protection:

### Organization Secrets

API keys, tokens, and credentials for integrations are encrypted with organization-specific keys:

```
Your API Key → AES-256 (org key) → Encrypted Storage
```

### Key Hierarchy

1. **Master key**: Stored in hardware security module (HSM)
2. **Organization key**: Derived from master key, unique per org
3. **Data encryption key**: Used to encrypt actual secrets

### Key Rotation

* Master keys rotated per security policy
* Organization keys can be rotated on request
* Automatic re-encryption during rotation

## Your Control

### Data Visibility

You can see what data Adapt has access to:

* Integration connections in Settings
* Data sources used in each query
* Stored secrets (names only, not values)

### Data Deletion

When you delete data:

* Immediately removed from active systems
* Purged from backups within 30 days
* Cryptographically unrecoverable

### Revoke Access

You can revoke integration access anytime:

1. Go to **Settings > Integrations**
2. Click the integration
3. Click **Disconnect**

Credentials are immediately deleted.

## Technical Details

### Algorithms

| Purpose              | Algorithm                   |
| -------------------- | --------------------------- |
| Symmetric encryption | AES-256-GCM                 |
| Key derivation       | HKDF-SHA256                 |
| Transport            | TLS 1.3                     |
| Hashing              | SHA-256, bcrypt (passwords) |

### Infrastructure

* **Cloud provider**: Google Cloud Platform
* **Key management**: Google Cloud KMS
* **HSM**: FIPS 140-2 Level 3 certified
* **Region**: United States (configurable for enterprise)

## Questions?

For questions about our encryption practices:

* **Email**: [security@adapt.com](mailto:security@adapt.com)
* **Documentation**: Request our security whitepaper

<CardGroup cols={2}>
  <Card title="Security Overview" icon="shield" href="/security/overview">
    Complete security documentation
  </Card>

  <Card title="SOC 2 Compliance" icon="certificate" href="/security/soc2-compliance">
    Our compliance program
  </Card>
</CardGroup>
