Encryption: at rest, in transit, and key management
We encrypt data in motion and data at rest using industry-standard cryptography. AWS Key Management Service (KMS) controls all encryption keys with automatic rotation and audit logging.
At rest
Data stored in databases, S3 buckets, and backups is encrypted with AES-256-GCM using AWS Key Management Service (KMS).
AES-256-GCM for all stored data (documents, database records, backups)
AWS KMS-managed keys with automatic 90-day rotation
Encrypted S3 buckets with bucket policies that block unencrypted uploads
RDS and MongoDB Atlas encryption at rest enabled by default
Secrets (API keys, passwords) stored in AWS Secrets Manager with access logging
Roadmap: client-managed keys and field-level encryption
We are exploring client-managed encryption keys (CMEK) so regulated clients can hold their own KMS keys and revoke Cleared\'s access instantly. We are also expanding field-level encryption for PII fields (ID numbers, income amounts) so even database administrators cannot read sensitive data without application-layer decryption.