End-to-End Encryption (E2EE)

**Tags**: #MemberData #Transparency #Encryption #ConfidentialCompute > [!info] > This information is shared as part of Decombine's commitment to [[Open Core]] practices. # Encryption Decombine uses encryption At Rest, In Transit, and In Use to provide industry leading security to Member data. The underlying [[Cloud Service Providers (CSP)]] we work with do not have access to your data. ### Encryption: At Rest Storage is transparent 256-bit AES encryption that is FIPS 140-2 compliant. For details on the underlying vendor cryptographic API, you can visit [Cryptography API: Next Generation](https://learn.microsoft.com/en-us/windows/desktop/seccng/cng-portal). Member data is exclusively encrypted at rest through two mechanisms: #### Host-based Encryption Host-based encryption performs encryption on operating system (OS) and cache disks of our confidential compute clusters and maintains encryption as the underlying compute systems communicate to their virtual hosts. #### Service-side Encryption Service-side encryption encrypts non-confidential compute storage solutions such as contract file storage of PDFs in each each geographic region, ensuring that Member data not located on Decombine confidential compute clusters is still safely encrypted. ### Encryption: In Transit Member data is exclusively transmitted over the Internet using Transport Layer Security (TLS) 1.2 or above. You can read more about how we keep traffic secure at [[Network Security]]. Decombine has selected Let's Encrypt as its TLS certificate provider. Member data is transmitted to API ingress points using Let's Encrypt TLS certificates. The API ingress systems decrypt the traffic on Decombine's private networks before routing the traffic to confidential compute clusters. Services in the confidential compute clusters re-encrypt traffic via mutual TLS (mTLS) during communication between discrete services using distributed application runtime (dapr) sidecars to intercept mTLS. Decombine uses automated processes to request, install, and rotate TLS certificates throughout our infrastructure. ### Encryption: In Use / In Process Member data is always exclusively processed using confidential compute systems and never leaves the confidential enclaves until it is required to be transmitted to a partner vendor (based on your requirements) or transmitted to you. Decombine has selected Microsoft Azure Confidential Compute as its Confidential Compute partner. Encryption In Use is currently achieved by leveraging AMD SEV-SNP supported processors on dedicated Virtual Machines. Learn more about SEV-SNP through the whitepaper published by AMD: [AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More](https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf) ## Confidential Attestation Decombine is developing a Confidential Compute Attestation Service to provide cryptographic verification and evidence of services operating on Confidential Compute systems. Artifacts and proofs generated by this service will be made open source and publicly available for consumption and verification by third-parties.