Encryption & Secrets Management
Witboost protects data at every layer through industry-standard encryption and secure secrets management.
Encryption in Transit
All communications are encrypted using TLS 1.2 or higher:
- Between Witboost microservices (internal cluster traffic)
- Between the platform and end users (UI, API)
- Between Tech Adapters and target technologies (Snowflake, Databricks, etc.)
- HTTPS enforced for all web and API traffic
Encryption at Rest
| Component | Encryption Method |
|---|---|
| Credentials & Secrets | Stored in a dedicated secrets management system (HashiCorp Vault or Kubernetes Secrets with encryption at rest) |
| Platform Databases | Leverage the underlying infrastructure's encryption-at-rest capabilities |
| Persistent Storage | Configured according to customer requirements and cloud provider best practices |
| Backups | Encrypted using the same at-rest encryption mechanisms |
Key Management
- Customer-controlled — In on-premises deployments, the customer retains full control over encryption keys
- Industry best practices — Key management follows established standards (AES-256, RSA-2048+)
- Key rotation — Supports periodic key rotation as required by customer policy
- No key escrow — Agile Lab does not have access to customer encryption keys
Secrets Management
Witboost integrates with enterprise secrets management solutions:
- HashiCorp Vault — Recommended for production deployments
- Kubernetes Secrets — With encryption at rest enabled
- Cloud-native vaults — Azure Key Vault, AWS Secrets Manager, GCP Secret Manager
Secrets include:
- Database connection strings
- API keys for Tech Adapter integrations
- Service principal credentials
- OAuth client secrets
tip
All secrets are injected at runtime and never stored in source code, configuration files, or container images.
Data Protection by Architecture
Because Witboost is a control-plane platform, it provides an additional layer of data protection by design:
- No customer data content — The platform handles only metadata (schemas, policies, lineage, contracts)
- No data at rest in Witboost — Customer's actual data remains in their own data infrastructure
- No data in transit through Witboost — Data flows directly between source and target systems; Witboost orchestrates but never intermediates the data
This architectural boundary means that even in the unlikely event of a platform compromise, no customer data content would be exposed — only metadata and governance artifacts.