Documentation
Overview
Encryption

Encryption

Altertable encrypts all customer data in transit and at rest. Encryption covers database credentials, lakehouse storage, and internal backups. Each customer operates in an isolated environment with independent encryption keys and network boundaries.

Credential Encryption

All database credentials provided by customers are encrypted using SHA-256 before being stored. Decryption occurs only within isolated compute environments at runtime. Credentials are never logged, transmitted in plaintext, or shared between tenants.

Data Encryption at Rest

All internal Altertable databases use AES-256 encryption at rest. Indexes, logs, and derived analytical state are stored on encrypted volumes. Backups are encrypted prior to upload to object storage, ensuring no unencrypted copies exist outside of memory.

Storage

Altertable stores structured data as columnar Parquet files in Cloudflare R2. Each customer has a dedicated R2 bucket and a unique API key, providing full isolation at the storage layer.


         ┌───────────────R2───────────────┐
         │ ┌────────────bucket-a────────┐ │
write ───┼▶│  (AES-256, R2 managed key) │ │
         │ └────────────────────────────┘ │
         │ ┌────────────bucket-b────────┐ │
write ───┼▶│  (AES-256, R2 managed key) │ │
         │ └────────────────────────────┘ │
         │ ┌────────────bucket-c────────┐ │
write ───┼▶│  (AES-256, R2 managed key) │ │
         │ └────────────────────────────┘ │
         └────────────────────────────────┘

All R2 objects are encrypted at rest using AES-256 server-side encryption. Data in transit between compute and R2 is protected with TLS 1.3.

Network Encryption

All Altertable communication—between API endpoints, agents, DuckDB compute nodes, and storage—is encrypted using TLS 1.3.
We disable legacy TLS versions and weak cipher suites. Internal service traffic remains within isolated VPC networks, preventing cross-tenant access and minimizing public exposure.

Infrastructure Isolation

All compute, storage, and orchestration layers operate within private VPCs. Public ingress is limited to defined API endpoints, with internal RPC channels fully private.

Compliance

Altertable is SOC 2 Type II certified. Encryption, access control, and operational practices are continuously audited by independent assessors. SOC 2 compliance covers both cloud infrastructure and development workflows.

Summary

ComponentEncryptionIsolation
Database credentialsSHA-256Per-tenant
Internal databaseAES-256 at restPrivate VPC
BackupsAES-256Encrypted before upload
Cloudflare R2AES-256 + TLS 1.3Dedicated bucket & API key
NetworkTLS 1.3 onlyPrivate VPC
ComplianceSOC 2 Type IIContinuous audit

All data handled by Altertable remains encrypted throughout its lifecycle. Keys are managed by the cloud provider, and data is never stored or transmitted unencrypted within the platform.

Crafted with <3 by former Algolia × Front × Sorare builders© 2026 AltertableTermsPrivacySecurityCookies