Ctrl AI

Encryption

AES-256-GCM encryption for sensitive data at rest.

Ctrl AI encrypts sensitive data at rest using AES-256-GCM, an authenticated encryption algorithm.

What's Encrypted

  • Inference query logs — the actual user questions stored in inference_logs
  • Any field containing PII or PHI

How It Works

  • Algorithm: AES-256-GCM
  • IV: 12-byte random initialization vector per encryption
  • Auth tag: 16-byte authentication tag (ensures data integrity)
  • Key derivation: 32-byte key derived from ENCRYPTION_KEY environment variable
  • Format: base64(iv + authTag + ciphertext)

Configuration

Set the ENCRYPTION_KEY environment variable:

# Generate a key
openssl rand -hex 32

# Set in .env
ENCRYPTION_KEY=<your-64-character-hex-string>

Graceful Fallback

If ENCRYPTION_KEY is not set, inference queries are stored in plaintext. This allows development and testing without encryption overhead, but is not recommended for production with sensitive data.

In Transit

All connections use TLS (HTTPS). The application sets HSTS headers to enforce TLS in browsers.

Audit Logging

Immutable audit trails for every action and AI decision.

Compliance Mapping

How Ctrl AI maps to EU AI Act, DORA, SOC 2, and HIPAA requirements.

On this page

What's EncryptedHow It WorksConfigurationGraceful FallbackIn Transit