Skip to content

Rotating Encryption Keys

Escape encrypts all stored credentials, authentication material, captured request bodies, and generated reports at rest. On the standard SaaS, encryption keys are Escape-managed and rotated on a schedule. Enterprise deployments unlock two additional modes: customer-supplied rotation schedules and customer-managed keys.

What's Encrypted

  • Credentials and tokens configured on Profiles (API keys, OAuth tokens, preset secrets).
  • Captured scan payloads: request bodies, response bodies, and browser-context snapshots.
  • Reports and evidence: generated PDF reports, CSV exports, Proof-of-Exploit bundles.
  • Audit logs: both in-transit and at rest.

Application data not in the list above (for example public asset names and endpoint paths) is still encrypted at rest by the underlying cloud storage, but isn't subject to the application-layer key hierarchy.

Standard: Escape-Managed Rotation

On the default SaaS tenant, Escape manages the key hierarchy:

  • Data encryption keys (DEKs) are unique per tenant and per data class.
  • DEKs are wrapped by a key-encryption key (KEK) stored in Escape's KMS.
  • The KEK rotates on a published schedule; previous DEKs remain available for decrypt-only until their retention window closes.

For the standard SaaS, the rotation schedule is non-negotiable and documented in the SOC 2 report.

Enterprise: Customer-Managed Keys and Custom Rotation

On a Private Tenant, two options:

  • Custom rotation schedule: change the KEK rotation frequency to match your policy (for example rotate every 30 days instead of the default cadence). The rotation event is a tenant-scoped operation; scan operations continue uninterrupted.
  • Customer-managed keys (BYOK): plug your own KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault) as the root of trust. Escape uses envelope encryption: your KMS wraps the Escape-emitted DEKs; you retain the ability to revoke the key and make the tenant data unrecoverable.

Revoking the customer-managed KEK is destructive and irreversible. That's the point: it's the on-off switch for your data residency in Escape.

Compliance Mapping

  • SOC 2 CC6: documented at-rest encryption and key rotation.
  • ISO 27001 Annex A.8.24: use of cryptography with audited rotation.
  • GDPR Article 32(1)(a): encryption as a technical safeguard.
  • HIPAA 164.312(a)(2)(iv): encryption and decryption of ePHI.

The per-framework reporting under Comply attaches the key-management evidence automatically when these blocks are enabled.

How to Get Started

Customer-managed keys are configured during Private Tenant onboarding. Contact your account team or support@escape.tech. Plan for a 24-hour handshake between your KMS and the tenant setup.