Enterprise Security | VectorScaleDB

AES-256-GCM Envelope Encryption

Two-tier key hierarchy ensures that compromising a single key never exposes your entire dataset.

Data Encryption Keys

Per-Record DEKs

Each data record is encrypted with a unique Data Encryption Key (DEK) using AES-256-GCM authenticated encryption. Each record receives a unique encryption key that is never stored in plaintext. GCM mode provides both confidentiality and tamper detection through its authentication tag.

Key Encryption Keys

KEK Hierarchy

Each DEK is itself encrypted by a Key Encryption Key (KEK) before storage. KEKs are managed separately from data, enabling key rotation without re-encrypting the underlying data. Key rotation completes without re-encrypting stored data.

Authenticated Encryption

Tamper Detection Built In

AES-256-GCM produces an authentication tag alongside every ciphertext. Any modification to encrypted data — even a single flipped bit — is detected at decryption time. No silent corruption, no undetected tampering.

Per-Tenant Key Management

Cryptographic isolation between tenants. Each tenant's data is encrypted with tenant-specific keys that no other tenant can access.

Isolation

Tenant-Scoped KEKs

Every tenant receives a dedicated KEK. Even in a shared deployment, one tenant's data is cryptographically inaccessible to another. A compromised tenant key affects only that tenant — blast radius is contained by design.

Rotation

Automated Key Rotation

Schedule key rotation per tenant on configurable intervals. When a rotation fires, the system generates a new KEK, re-wraps all active DEKs under the new key, and retires the old KEK — all without downtime or data re-encryption.

Compliance

Rotation Audit Trail

Every key rotation event is recorded in the audit chain with the rotation timestamp, key version, and operator identity. Compliance teams can prove rotation adherence without accessing the keys themselves.

Role-Based Access Control

Fine-grained permissions enforced at the API layer. Every request is authenticated, authorized, and logged.

Roles

Predefined + Custom Roles

Ship with built-in roles — Admin, Operator, Analyst, ReadOnly — or define custom roles with granular permission sets. Roles map to specific API endpoints and operations, ensuring least-privilege access by default.

Scoping

Tenant + Entity Scoping

Permissions can be scoped to specific tenants, entity types, or even individual entities. An analyst in the finance domain sees only financial entities; a fleet operator sees only vehicle telemetry.

Enforcement

Middleware-Level Enforcement

Authorization checks happen in the middleware layer before any query reaches the engine. Unauthorized requests are rejected with zero data exposure — the engine never sees them.

SHA-256 Audit Chain

Every action produces a cryptographically chained audit event. Tamper with one record and the entire chain breaks.

Chaining

Hash-Linked Events

Each audit event includes a SHA-256 hash of the previous event, forming an append-only chain. Inserting, deleting, or modifying any event invalidates all subsequent hashes. The chain is verified on every read via /v1/admin/audit.

Coverage

Full Operation Logging

Data ingestion, queries, deletions, key rotations, role changes, configuration updates — every operation that touches data or security state produces an audit event with actor identity, timestamp, resource, and outcome.

Verification

Chain Integrity Checks

The chain_verified field in audit responses confirms the integrity of the entire chain up to that point. Automated background verification runs continuously, surfacing any inconsistency before it reaches compliance reports.

Privacy by Design

GDPR-compliant entity deletion and differential privacy on query results — built into the engine, not bolted on.

GDPR

Right-to-Erasure Compliance

A single DELETE /v1/admin/entity/{id} call purges all records, compressed segments, index entries, and cached data for that entity. The response confirms record counts, segment counts, and generates an audit event proving deletion.

Differential Privacy

Laplacian Noise on Centroids

Query results that return aggregate centroid vectors have mathematically calibrated noise applied to aggregate results. This prevents reconstruction of individual entity behavior from cluster-level queries — mathematical privacy guarantees, not policy alone.

Data Sovereignty

Tenant Data Boundaries

Per-tenant encryption keys, scoped RBAC, and entity-level deletion ensure that tenant data never leaks across boundaries. Federated deployments respect data locality — segments stay in their jurisdiction.

Trust Network

Decentralized trust verification ensures no single entity can control the network. Governance decisions require multi-party cooperation.

Governance

Threshold Signing

Critical operations require agreement from multiple independent keyholders. No single party — not even the network operator — can unilaterally modify trust parameters, revoke licenses, or alter safety constraints.

Integrity

Anti-Impersonation

Behavioral trust scoring tracks node history and detects impersonation attempts. The arbiter system resolves disputes through cryptographic evidence. Low-trust nodes are automatically quarantined from sensitive operations.

Consent

Universal Irrevocable Consent

Consent gates every entity type — not just neural data, but all behavioral, biological, and personal data. Revocation is a compile-time irrevocable latch: there is no admin-override method, no emergency bypass, no temporary suspension. A subject's revocation is final and propagates immediately. Enforced by the type system, not a policy document.

Safety as Physics, Not Policy

The strongest guarantees are the ones an attacker cannot defeat even with the documentation open. These constraints are compile-time invariants enforced by the Rust type system — not configuration, not policy, not toggles.

No Self-Propagation

It Cannot Install Itself Anywhere New

VectorScaleDB physically cannot install itself, leap to, or deploy onto a host where it is not already running. The propagation guard is a compile-time invariant — there is no code path to deploy to a new host. Federation connects only to nodes that already exist. This is not a setting that can be flipped.

Bounded Self-Improvement

It Cannot Rewrite Its Own Safety

The system can optimize routing, compression, and federation parameters. It cannot modify its own safety constraints, consensus rules, or trust model — no code path exists for autonomous constraint modification. Changing governance requires a multi-party quorum, by construction.

Biological Invariants

12 Compile-Time Biological Guarantees

For deployments that touch biological substrates, twelve additional compile-time invariants (B1–B12) hold: containment, no uncontrolled replication, continuous active consent, biodegradation guarantees, genetic-diversity preservation, and material biocompatibility — each verified at the type level, each effective even when an attacker has read the docs.

See It in Action

Query the audit trail, verify chain integrity, and perform GDPR-compliant deletion — all through the REST API.

# Query audit trail for a specific time range and action type
curl "https://api.vectorscaledb.com/v1/admin/audit?\
start=2026-03-08T00:00:00Z&\
end=2026-03-08T23:59:59Z&\
action=data_access&\
limit=100" \
  -H "Authorization: Bearer $ADMIN_TOKEN"

# GDPR right-to-erasure: delete all data for an entity
curl -X DELETE \
  "https://api.vectorscaledb.com/v1/admin/entity/user-eu-12847" \
  -H "Authorization: Bearer $ADMIN_TOKEN"

# Response confirms complete purge
# {
#   "entity_id": "user-eu-12847",
#   "records_deleted": 84291,
#   "segments_purged": 127,
#   "audit_event_id": "evt-del-3c4d5e",
#   "completed_at": "2026-03-08T16:00:01Z"
# }

{
  "events": [
    {
      "event_id": "evt-9f8a7b6c",
      "timestamp": "2026-03-08T14:22:01Z",
      "action": "data_access",
      "actor": "user:jdoe",
      "resource": "entity:vehicle-0042",
      "chain_hash": "sha256:a1b2c3d4e5f6..."
    },
    {
      "event_id": "evt-8e7d6c5b",
      "timestamp": "2026-03-08T14:21:58Z",
      "action": "data_access",
      "actor": "user:analyst-03",
      "resource": "entity:sensor-fleet-17",
      "chain_hash": "sha256:f6e5d4c3b2a1..."
    }
  ],
  "total": 247,
  "chain_verified": true
}