Compliance
Compliance frameworks, data residency, and audit capabilities in CipherStash
Compliance
CipherStash helps organizations meet compliance requirements through field-level encryption, identity-bound access controls, and audit logging. This page summarizes how CipherStash maps to common compliance frameworks and what capabilities are available.
Compliance frameworks
CipherStash's encryption and access control capabilities support the following compliance frameworks:
| Framework | How CipherStash helps |
|---|---|
| SOC 2 Type II | Field-level encryption, access key scoping, audit logging of every decrypt operation, key rotation via keysets |
| HIPAA | Encryption of PHI at the field level, identity-aware access controls (lock contexts), audit trails for data access |
| GDPR | Encryption of personal data, data residency controls via regional deployment, crypto-shredding by deleting keysets |
| PCI-DSS | Encryption of cardholder data fields, key management via ZeroKMS, separation of key material from encrypted data |
| ISO 27001 | Cryptographic controls (A.10), access control (A.9), logging and monitoring (A.12) |
| CCPA | Encryption of consumer personal information, access controls, audit trails |
Good to know: Contact support@cipherstash.com to request SOC 2 reports, sign a HIPAA Business Associate Agreement (BAA), or obtain a GDPR Data Processing Agreement (DPA).
Data residency
CipherStash workspaces are deployed to specific AWS regions. Key material and encryption operations stay within the configured region.
Available regions are listed on the Regions page. When you create a workspace, you select a region and all ZeroKMS key material is stored and processed in that region.
Audit logging
CipherStash logs every key derivation event — which means every encrypt and decrypt operation is recorded with context about who performed it, when, and for which keyset.
Audit logs are available through the CipherStash dashboard. For programmatic access or SIEM integration, contact support@cipherstash.com.
What is logged
| Field | Description |
|---|---|
| Timestamp | When the operation occurred |
| Operation type | Encrypt or decrypt |
| Client ID | Which client performed the operation |
| Keyset | Which keyset was used |
| Identity context | The identity claim (if using lock contexts) |
Audit with the SDK
The SDK supports attaching audit metadata to any operation:
const result = await client
.encrypt(plaintext, { column: users.email, table: users })
.audit({ metadata: { action: "create", resource: "user" } })This metadata is included in the audit log alongside the standard fields.
Crypto-shredding
CipherStash supports crypto-shredding — permanently destroying data by deleting the encryption keys rather than the ciphertext.
Because each keyset provides cryptographic isolation, you can:
- Delete a keyset to make all data encrypted under it permanently irrecoverable.
- Use per-tenant keysets to support GDPR right-to-erasure (Article 17) by deleting a tenant's keyset.
The encrypted data remains in your database but can never be decrypted.
Key rotation
CipherStash supports key rotation at the keyset level. Key rotation generates new key material without interrupting running applications.
For rotation procedures, see Keysets.
Security architecture
For a complete description of the cryptographic design, key hierarchy, and trust model, see Security architecture.