Regulatory compliance

CipherStash's searchable encryption provides the technical controls needed to satisfy regulatory requirements while maintaining full query capabilities. This page covers common compliance patterns using the Encryption SDK and EQL.

Encrypted uniqueness constraints

Many compliance frameworks require that sensitive identifiers (email, SSN, tax ID) are unique across your dataset. With CipherStash, you can enforce uniqueness on encrypted data using HMAC-based indexes.

Create a unique index on encrypted data

When you define an equality() index on a column, CipherStash generates a deterministic HMAC that can be used for unique constraints:

import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"

export const patients = encryptedTable("patients", {
  ssn: encryptedColumn("ssn")
    .equality(),
  email: encryptedColumn("email")
    .equality(),
})

In PostgreSQL with EQL, create a unique index on the HMAC component:

-- Create the table with encrypted columns
CREATE TABLE patients (
  id SERIAL PRIMARY KEY,
  ssn eql_v2_encrypted NOT NULL,
  email eql_v2_encrypted NOT NULL
);

-- Add unique index on the HMAC (equality) index term
CREATE UNIQUE INDEX patients_ssn_unique
  ON patients (eql_v2.hmac_256(ssn));

CREATE UNIQUE INDEX patients_email_unique
  ON patients (eql_v2.hmac_256(email));

This ensures no two patients can have the same SSN or email — enforced at the database level — while the actual values remain encrypted.

GDPR compliance patterns

Right to erasure (Article 17)

Encrypted data with CipherStash supports crypto-shredding: revoke the keyset or client key, and all data encrypted under that key becomes permanently unreadable.

Data minimization (Article 5)

Encrypt all personal data fields and use Lock Contexts to restrict which application components can decrypt specific records:

// Only the billing service can decrypt payment data
const result = await client
  .withLockContext({ identityToken: billingServiceJWT })
  .decrypt(encryptedPaymentData)

Data portability (Article 20)

Encrypted values are stored as standard JSON objects (CipherCells). They can be exported, transferred between systems, and decrypted at the destination — provided the recipient has the appropriate key material.

HIPAA compliance patterns

Access controls (§ 164.312(a))

Use identity-aware encryption to bind decryption to authenticated healthcare providers:

// Encrypt patient records with identity binding
const encrypted = await client
  .withLockContext({ identityToken: providerJWT })
  .encrypt(patientRecord.diagnosis, {
    column: patients.diagnosis,
    table: patients,
  })

Audit controls (§ 164.312(b))

Every encryption and decryption operation through ZeroKMS produces an audit event. Combine with CipherStash Proxy audit features for comprehensive data access logging including statement fingerprints and record reconciliation.

Integrity controls (§ 164.312(c))

CipherStash's authenticated encryption (AES-256-GCM) ensures that any tampering with encrypted data is detected during decryption — the operation will fail if the ciphertext has been modified.

PCI-DSS compliance patterns

Requirement 3: Protect stored cardholder data

Encrypt cardholder data at the application layer before it reaches the database:

import { encryptedTable, encryptedColumn } from "@cipherstash/stack/schema"

export const cards = encryptedTable("cards", {
  cardNumber: encryptedColumn("card_number")
    .equality(),
  cardholderName: encryptedColumn("cardholder_name"),
})

Requirement 10: Track and monitor access

CipherStash's audit logging provides cryptographic proof of data access. Every decryption request is logged with:

• Who — the authenticated identity (via Lock Context)
• What — which encrypted column was accessed
• When — timestamp of the operation

Supported regulations