securitybyokcompliance
BYOK Security Model: How Sylica Stores Provider Keys
A concise overview of BYOK encryption, key lifecycle, and operational safeguards in Sylica.
Bring-your-own-key data is encrypted at rest using AES-256-GCM with per-record IVs.
Plaintext provider keys are only materialized on the request path and are never stored in logs.
Org isolation is enforced at query boundaries, and key scope controls reduce blast radius when keys are shared across environments.
For customers with stricter requirements, Sylica supports DPA workflows and subprocessors transparency through dedicated compliance pages.