Encryption
Altertable encrypts all customer data in transit and at rest. Encryption covers database credentials, object storage credentials, lakehouse storage, and internal backups. Each customer operates in an isolated environment with independent encryption keys and network boundaries.
Credential Encryption
Database credentials and connected bucket credentials are encrypted before being stored. Decryption occurs only within isolated compute environments at runtime. Credentials are never logged, transmitted in plaintext, or shared between tenants.
Data Encryption at Rest
All internal Altertable databases use AES-256 encryption at rest. Indexes, logs, and derived analytical state are stored on encrypted volumes. Backups are encrypted prior to upload to object storage, ensuring no unencrypted copies exist outside of memory.
Storage
Altertable-managed storage uses Cloudflare R2 by default. You can also connect your own Amazon S3, Google Cloud Storage, or S3-compatible buckets when you want lakehouse data to live in a specific object store.
┌───────────────R2───────────────┐ │ ┌────────────bucket-a────────┐ │ write ───┼▶│ (AES-256, R2 managed key) │ │ │ └────────────────────────────┘ │ │ ┌────────────bucket-b────────┐ │ write ───┼▶│ (AES-256, R2 managed key) │ │ │ └────────────────────────────┘ │ │ ┌────────────bucket-c────────┐ │ write ───┼▶│ (AES-256, R2 managed key) │ │ │ └────────────────────────────┘ │ └────────────────────────────────┘
Built-in object storage is encrypted at rest by the underlying provider. Data in transit between compute and object storage is protected with TLS 1.3.
Network Encryption
All Altertable communication—between API endpoints, agents, DuckDB compute nodes, and storage—is encrypted using TLS 1.3.
We disable legacy TLS versions and weak cipher suites.
Internal service traffic remains within isolated VPC networks, preventing cross-tenant access and minimizing public exposure.
Infrastructure Isolation
All compute, storage, and orchestration layers operate within private VPCs. Public ingress is limited to defined API endpoints, with internal RPC channels fully private.
Compliance
Altertable is SOC 2 Type II certified. Encryption, access control, and operational practices are continuously audited by independent assessors. SOC 2 compliance covers both cloud infrastructure and development workflows.
Summary
Component | Encryption | Isolation |
|---|---|---|
Database credentials | AES-256-GCM | Per-tenant |
Internal database | AES-256 at rest | Private VPC |
Backups | AES-256 | Encrypted before upload |
Object storage | Provider-managed at rest + TLS 1.3 | Bucket-scoped credentials |
Network | TLS 1.3 only | Private VPC |
Compliance | SOC 2 Type II | Continuous audit |
All data handled by Altertable remains encrypted throughout its lifecycle. Keys are managed by the cloud provider, and data is never stored or transmitted unencrypted within the platform.