These are some questions we are frequently asked by our customers.


Below you'll find questions related to encrypting data.

What encryption scheme does Evervault use?

You can learn more about the Evervault Encryption Scheme (EES) here.

Do I need to manage encryption keys?

No. Simply include our SDKs and Relay your data or deploy your functions to an Evervault Cage. We handle everything else.

Where do I encrypt data?

You can encrypt data where it enters your infrastructure — either using Evervault Relay or our SDKs.

Why is there no decrypt() function in the Evervault SDKs?

Traditionally, encryption has only been useful if it was a reversible transformation, i.e. if the encrypted data could be reversed back to its original, unencrypted form. If encryption was not reversible, the encrypted data was considered unreadable and unusable. This is why most encryption libraries have a decrypt() function available.

Evervault Cages and Relay make the need for a decrypt() function redundant.

Cages are secure, serverless functions for processing encrypted data. That is, encrypted data remains readable and usable — without the need for a decrypt() function being available.

You can deploy a Cage to return data in its unencrypted form. Cage runs are logged so that you can see who accessed plaintext data.

Relay is a proxy for encrypting data before it touches your API, and for decrypting it as you send it to a third-party API or return it to your users. Decryption takes place in E3, so no decrypt() function is necessary in our SDKs.

Why is Evervault better than encryption at rest and in transit?

Encryption in transit (using TLS) protects against man-in-the-middle attacks between the client and your server.

Encryption at rest (at the disk-level, file-system-level, and database-level) protects against someone taking the physical drive from your machine and overriding your file-system, and prevents a non-authenticated admin accessing your database.

However, neither encryption in transit or at rest protect against a malicious agent on your server because data still gets decrypted to be processed.

With Evervault, data never exists on your infrastructure in plaintext—so can never be lost or leaked.

Why is Evervault better than open-source encryption libraries?

There are two core reasons why Evervault is better than encryption libraries:

1. No plaintext data on your infrastructure

With encryption libraries like Web Crypto and Tink, you still need to decrypt sensitive data to process and get value from it. With Evervault, sensitive data is never decrypted (i.e. never exists in plaintext) on your infrastructure—so you cannot lose or leak it.

2. No need to manage encryption keys

With encryption libraries, you still need to manage encryption keys. Using Evervault means that you do not need to manage encryption keys. We take full responsibility for key management. The way we configure key management means that Evervault cannot decrypt your data—because your team’s API key is necessary for decryption.

Learn more about the Evervault Encryption Scheme.


Below you'll find questions related to storing encrypted data.

Where do I store data I encrypted with Evervault?

You store the data in your database as normal. There’s no need to change your data structure or format.


Below you'll find questions related to processing encrypted data.

What is an Evervault Cage?

Cages are secure serverless functions for processing encrypted data. They're isolated from your stack, and hosted on Evervault. You can write and deploy any serverless function to a Cage.

What languages do Cages support?

At present, Cages can only be written in Node.js. Expanding language support is on our product roadmap, and we're actively rolling out other languages/frameworks. If there's a specific language you'd like us to support, let us know.

What are the resource limits of Cages?

Cages currently have a maximum memory consumption of 1024MB. This can be increased to 3008MB on request. They currently have 1 available CPU core and this can also be increased to 2 cores on request.

What is the maximum execution time of a Cage?

Cages currently have a maximum of 30 seconds execution time as a result of their request-response serverless architecture. Deploying Docker Containers as Cages (for long-running, stateful processes) is on our roadmap.

How scalable are Cages?

Cages will scale automatically to many thousands of requests per second without a noticeable drop in throughput or latency. We are actively improving Cage latency and scalability for more intense workloads and see this as a core priority for our product roadmap.

Is there a way to verify that Evervault does not have access to the plaintext data?

Evervault does not store encrypted data, and data only exists ephemerally on our infrastructure during a Cage run. Our product roadmap includes a remote attestation feature which will verify that code running inside a Cage matches the expected code, removing the risk of malicious code within Cages or on Evervault’s infrastructure.

Can I send requests to external APIs from a Cage?

Evervault has an API Whitelist feature which lets you create a list of external APIs that your Cage can send requests to. By default, Cages can send requests to any third-party API. By adding a domain name to the API whitelist in the Dashboard, your Cage will only have network access to the APIs you specify.


Below you'll find questions related to sharing encrypted data.

What is Evervault Relay?

Relay is a proxy for encrypting data before it touches your API, and for decrypting it as you send it to a third-party API or return it to your users.

Inbound Relay is a forward-proxy pointed at your API which will intercept all inbound requests and encrypt fields you specify.

Outbound Relay is a HTTP CONNECT proxy that will automatically decrypt all Evervault-encrypted data that is passed through it.

Combining Inbound Relay and Outbound Relay means you can collect sensitive data (like credit card numbers, SSNs, credentials and health data) from your users and share it with third-parties without ever handling it in plaintext.

Can I use a custom domain name with Relay?

Yes, but you need to contact us to enable this functionality. The only change necessary on your end is the creation of a CNAME DNS record to point your custom domain to Relay.

By default, all Relay URLs are a subdomain of

Does Relay encrypt all my data?

Inbound Relay only encrypts fields that you specify in the Dashboard. Currently, Relay will only encrypt fields in JSON payloads.

Does Relay decrypt all my data before passing it to third-parties?

Yes. Outbound Relay will automatically decrypt any fields containing Evervault-encrypted data before passing it on to third-parties.

How does Relay intercept requests if they are TLS-encrypted?

Relay has a Root CA which terminates TLS and opens a new TLS connection to the request's destination. Relay will automatically generate a new certificate for each server you send a request to. The Evervault Relay Root CA must be trusted by your application in order to modify the payload.


Where are my Evervault API keys?

Your API keys can be found in Settings.

What can I use Evervault for?


  • Serverless functions. Cages are serverless functions, so you can deploy any code you would to other serverless function services — like AWS Lambda, Firebase Functions, Azure Functions, Cloudflare Workers etc. The core difference being that you never touch sensitive data in plaintext.
  • Machine learning. Deploy your machine learning model as a Cage, send it the data you encrypt with Relay, and get the result.
  • Document generation. Encrypt & store identity data (like addresses and social security numbers), generate a document in a Cage, and send to a third-party direct mail API like Lob.
  • API authorization. Encrypt your users' credentials for third-party services using Relay, and authorize with those services by running a headless browser in, or calling an API from, a Cage.


Encrypt sensitive data.

You can use Relay to encrypt sensitive customer and user data. For example:

  • Identity & contact data. Any data that relates to the identity of your users, including addresses, phone numbers, social security numbers, tax numbers, government issued IDs, and biometric information.
  • Financial & transaction data. Bank account information, cardholder data (card number, CVC code, and expiration date), and payments records.
  • Health & medical data. Medical history, biological & genetic data, and healthcare & insurance provider information.
  • Intellectual property (IP) & proprietary data. Sensitive documents, trade secrets, and ML models & datasets.
Interact with APIs.

Encrypt requests and responses when you communicate with third-party APIs. For example:

  • Encrypt & store biometric information and send it to an identity verification API, like Onfido.
  • Encrypt & store phone numbers and send them to a communications API, like Twilio.
  • Encrypt labelled ML training data returned from a data labelling API, like Scale.
Secure your secrets

Encrypt your users' credentials for third-party services using Relay, and authorize with those services by running a headless browser in, or calling an API from, a Cage.

Is Evervault compliant?

We are fully SOC 2 Type II compliant. We can enter into BAAs under HIPAA. We are in the process of becoming PCI DSS Level 1 compliant.

Request our reports →

What languages are Evervault's SDKs?

Our client-side SDKs are JavaScript and React.js. We have a React Native SDK coming soon.

Our server-side SDKs are Node.js, Python, Ruby and PHP. We have a Go SDK coming soon.

Does Evervault have a test/sandbox mode?

Evervault teams have an optional test mode setting. With test mode enabled, you will not be charged for any Cage runs or Relay decrypts.

In test mode, each Cage has a limit of 5 concurrent executions. If a Cage receives more than 5 concurrent runs the API will return a 429 Too Many Requests error and the execution will be ignored.