End-to-End Encryption
At a glance
- At rest
- AES-256
- In transit
- TLS 1.2+ (1.3 preferred)
- Key management
- Managed KMS, rotation
- Scope
- Storage, databases, backups, messaging
In transit
Every connection between apps, services and integrations is encrypted with TLS 1.2 or higher (TLS 1.3 preferred), with modern cipher suites and certificate management. Internal service-to-service traffic is likewise encrypted.
At rest
- AES-256 encryption for databases, object storage and backups.
- Field-level protection for the most sensitive identifiers and health data.
- Encrypted, access-controlled backups with tested restoration.
Key management
Keys are generated and stored in a managed key-management service, separated from the data they protect, with least-privilege access, rotation and audit logging. Application secrets are held in a secrets manager, never in source code.
A note on “end-to-end”
We use “end-to-end encrypted” to mean data is encrypted across every hop and at rest throughout its lifecycle. Where a feature requires server-side processing (for example AI assistance or clinician review), that processing happens inside our encrypted, access-controlled environment under the consent and contracts described across this Trust Center.
Documentation available on request
- Encryption & key-management overview
- TLS configuration / external scan summary
Provided to qualified reviewers under a mutual NDA via contactus@desha.ai.
