Encrypted Storage

Your keys never leave
your machine

SessionWise encrypts stored data with envelope encryption by default. Our servers hold only ciphertext. AI analysis runs via Google Cloud Vertex AI (SOC 2 certified).

How encryption works

Envelope encryption — four steps from plaintext to ciphertext

1

Data Encryption Key (DEK)

Each piece of data gets its own unique encryption key, generated locally on your machine using cryptographically secure randomness.

2

Encrypt with DEK

Your session data, knowledge nuggets, and analysis results are encrypted with XChaCha20-Poly1305 using the unique DEK. This happens entirely on your device.

3

Wrap DEK with KEK

The DEK is then encrypted (wrapped) with your organization's Key Encryption Key (KEK). Only the encrypted DEK is stored alongside the ciphertext.

4

Upload encrypted blob

Only the encrypted blob + encrypted DEK are uploaded to storage. Without your KEK, the stored data cannot be decrypted.

What you write

Your actual code and session data

// auth/middleware.ts
export function validateToken(token: string) {
const decoded = jwt.verify(token, SECRET);
return decoded.userId;
}
// AI Analysis: "Pattern detected — JWT validation
// without expiry check. Antipattern flagged."

What we store

Encrypted blobs — meaningless without your key

// Supabase row: encrypted_sessions
7f4a2b8c9d1e3f5a6b7c8d9e0f1a2b3c4d5e6f7a8b 9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e 0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b...1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e 2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b
encrypted_dek: a1b2c3d4e5f6...
nonce: 9f8e7d6c5b4a...

Technical specifications

For your security team

Encryption at restXChaCha20-Poly1305 (libsodium)
Key managementEnvelope encryption with per-org KEK
Key storagemacOS Keychain / system keyring
Transport securityTLS 1.3 (Supabase managed)
Data residencySupabase Cloud (AWS us-east-1)
Access controlRow-Level Security (RLS) policies
AuthenticationSupabase Auth (OAuth, email/password)
AI processingVertex AI (Google Cloud, SOC 2 certified)

Ready to secure your AI workflow?

Join the waitlist for early access

Already have an invite? Sign in