Network & Data Security

EnvKey takes a layered approach to security. In addition to client-side encryption, all database and application servers associated with our Cloud and Business Self-Hosted products run in a VPC on a private subnet with no access to the public internet.


  • All requests use TLS.
  • All databases and backups are encrypted at rest with AES-256.
  • Our Business Self-Hosted product offers Behind-Your-Firewall mode, which allows you connect to EnvKey from a VPC in another AWS account using AWS PrivateLink and avoid exposing EnvKey to the public internet entirely.