More
FAQ
These are some questions we are frequently asked by our customers.
Encryption
Below you'll find questions related to encrypting data.
What encryption scheme does Evervault use?
You can learn more about the Evervault Encryption Scheme (EES) here.
Do I need to manage encryption keys?
No. Simply include our SDKs and Relay your data or deploy your functions to an Evervault Function. We handle everything else.
Why is Evervault better than encryption at rest and in transit?
Encryption in transit (using TLS) protects against man-in-the-middle attacks between the client and your server.
Encryption at rest (at the disk-level, file-system-level, and database-level) protects against someone taking the physical drive from your machine and overriding your file-system, and prevents a non-authenticated admin accessing your database.
However, neither encryption in transit or at rest protect against a malicious agent on your server because data still gets decrypted to be processed.
With Evervault, data never exists on your infrastructure in plaintext — so it can never be lost or leaked.
Why is Evervault better than open-source encryption libraries?
There are two core reasons why Evervault is better than encryption libraries:
1. No plaintext data on your infrastructure
With encryption libraries like Web Crypto and Tink, you still need to decrypt sensitive data to process and get value from it. With Evervault, sensitive data is never decrypted (i.e. never exists in plaintext) on your infrastructure—so you cannot lose or leak it.
2. No need to manage encryption keys
With encryption libraries, you still need to manage encryption keys. Using Evervault means that you do not need to manage encryption keys. We take full responsibility for key management. The way we configure key management means that Evervault cannot decrypt your data—because your app’s API key is necessary for decryption.
Storage
Below you'll find questions related to storing encrypted data.
Where do I store data I encrypted with Evervault?
You store the data in your database as normal. There’s no need to change your data structure or format.
Roles
Below you'll find questions related to roles in your account.
What are available roles within my account?
In your Pro account you will see a dropdown of available roles within your team. The available roles are “Admin”, “Developer”, and “Read Only.”
Each role varies in the permissions they have for reading, creating, deleting, and updating resources within an Evervault team account.
If you are an admin of a team you can make any other member an admin or adjust their role. You can also control resource and service access by using Scoped API Keys
Admin
Read | Create | Update | Delete | |
---|---|---|---|---|
Teams | ✅ | ✅ | ✅ | ✅ |
Apps | ✅ | ✅ | ✅ | ✅ |
Relay | ✅ | ✅ | ✅ | ✅ |
Functions | ✅ | ✅ | ✅ | ✅ |
Enclaves | ✅ | ✅ | ✅ | ✅ |
API Keys | ✅ | ✅ | ✅ | ✅ |
Invites | ✅ | ✅ | ✅ | ✅ |
See team members | ✅ | ✅ | ✅ | ✅ |
Notifications | ✅ | ✅ | ✅ | ✅ |
Third-party integrations | ✅ | ✅ | ✅ | ✅ |
Logs | ✅ | ❌ | ❌ | ❌ |
Billing | ✅ | ❌ | ✅ | ❌ |
Developer
Read | Create | Update | Delete | |
---|---|---|---|---|
Teams | ✅ | ❌ | ❌ | ❌ |
Apps | ✅ | ✅ | ✅ | ✅ |
Relay | ✅ | ✅ | ✅ | ✅ |
Functions | ✅ | ✅ | ✅ | ✅ |
Enclaves | ✅ | ✅ | ✅ | ✅ |
API Keys | ✅ | ✅ | ✅ | ✅ |
Invites | ✅ | ❌ | ❌ | ❌ |
See team members | ✅ | ❌ | ❌ | ❌ |
Notifications | ✅ | ✅ | ✅ | ✅ |
Third-party integrations | ✅ | ❌ | ❌ | ❌ |
Logs | ✅ | ❌ | ❌ | ❌ |
Billing | ✅ | ❌ | ❌ | ❌ |
Read-Only
Read | Create | Update | Delete | |
---|---|---|---|---|
Teams | ✅ | ❌ | ❌ | ❌ |
Apps | ✅ | ❌ | ❌ | ❌ |
Relay | ✅ | ❌ | ❌ | ❌ |
Functions | ✅ | ❌ | ❌ | ❌ |
Enclaves | ✅ | ❌ | ❌ | ❌ |
API Keys | ❌ | ❌ | ❌ | ❌ |
Invites | ❌ | ❌ | ❌ | ❌ |
See team members | ✅ | ❌ | ❌ | ❌ |
Notifications | ✅ | ❌ | ❌ | ❌ |
Third-party integrations | ✅ | ❌ | ❌ | ❌ |
Logs | ✅ | ❌ | ❌ | ❌ |
Billing | ✅ | ❌ | ❌ | ❌ |
Other
Where are my Evervault API keys?
Your API keys can be found in Settings. You can learn more on our dedicated docs page.
Whitelisting Evervault IPs
Evervault provides a set of static IP addresses which can be used to ensure requests are originating from our infrastructure.
In the case of Relay, the request IP will always be one of the below list. Requests from Functions do not use these IPs by default, but can be configured to do so. If you're interested contact us at support@evervault.com to get access.
If you need to modify an allowlist to accommodate these IPs, the following static IP addresses should be whitelisted to allow requests from Evervault:
Is Evervault compliant?
Evervault are a PCI DSS Level 1 Service Provider and SOC 2 Type II compliant. We can enter into BAAs under HIPAA. Request our reports
Evervault's Setup Guide
As when using any cloud based application there are always areas where both the consumer and service provider will have to manage information security responsibilities. Evervault follows the traditional SaaS model for security responsibilities. Evervault are responsible for the systems used to deliver the proposed services, and the customer is responsible for the data you chose to put through our systems & how you interact with our systems.
Securing your credentials to access our platform is a critical step in protecting your environment. We have made several options available to enhance the security of access to the platform. It is up to you to ensure these are configured. In addition to standard good security hygiene, at a minimum Evervault suggest the following security good practice when using Evervault Securely:
Management Plane Access
- Implement an approval process for access and monitor account activity
- Allocate access on a least privilege basis
- Allocated credentials to individual users, do not share accounts
- Quickly Amend / Remove User Access when no longer required
- Frequently Review Access
- Store and Share Credentials and API keys Securely
- Rotate API Keys when administrator leaves
- Select robust hard to guess passwords
- Enable Multi-factor authentication
- Disable Accounts immediately if you suspect compromise and alert support@evervault.com for further support.
- Store your API key in a secure secrets manager application
- Configure logging and alerting to record any access to / unexpected activity involving the API key
Data Plane (app.evervault.com)
- Constantly review the fields that you have chosen to encrypt to ensure they are adequate
- Constantly review the chosen destination end points for your encrypted and decrypted data flows
- Implement a change and approval process to authorise changes to destinations and fields
- Adhere to Evervault patch advisories if SDKs are in use