DLAC·DATA LEVEL ACCESS CONTROL

1847D1C4 78F 87D 81EA4 1F24B FD3BC7 1EA9 FE5 21B4.

CipherStash makes access control cryptographic. The rules aren't configured. They're enforced. A breach yields ciphertext, nothing useful.

Searchable field-level encryption. Identity-bound keys. Cryptographic audit trails. Built into your existing Postgres stack.

START BUILDING VIEW DOCS

stack.ts[ENCRYPTED]

import { encryption, disclosure } from '@cipherstash/stack'

// Encrypt every field with a unique key
const patient = await db.patients.create({
  name:      encryption.encrypt(),
  dob:       encryption.encrypt(),
  diagnosis: encryption.encrypt(),
})

// Query encrypted fields. No decryption required.
const results = await db.patients.findMany({
  where: { diagnosis: encryption.match('hypertension') },
})

[TRUSTED BY]

§ 01·0x01/THREAT / CONSTRAINT / UNLOCK

Every layer of traditional security assumes a human is watching. Nobody is watching anymore.

AI agents ship code at machine speed, running on application credentials where a single prompt injection becomes a one-step exfiltration. And for thirty years, the database has been an open book to anyone who reached it — because encrypting a column meant losing the query.

Step through the three states below. One table, one query, three realities.

patients.sqlREADABLE / 3 ROWS

postgres > SELECT * FROM patients WHERE condition = 'hypertension'

id	name	dob	condition	notes
p_01	Alex Rivera	1982-04-12	hypertension	lisinopril 10mg
p_02	Morgan Chen	1995-11-03	type II diabetes	metformin 500mg
p_03	Priya Patel	1971-07-22	hypertension	atenolol 25mg
p_04	Samir Okafor	2001-02-17	hypertension	lisinopril 10mg
p_05	Leah Kowalski	1988-09-30	asthma	albuterol inhaler

The old world.Thirty years of security built around one unavoidable fact: the database was readable to anyone who reached it. The perimeter had to do all the work.

§ 02·0x02/DATA LEVEL ACCESS CONTROL

The rules aren't configured. They're enforced.

Every sensitive value encrypted with a unique key. Identity and policy baked into the key, enforced at the moment of decryption, wherever the data ends up. Attackers, over-permissioned agents, and curious insiders all see the same thing: ciphertext with no key.

Switch identities below. The same records. Four different realities.

decryption policyAUTHORIZED

id	owner	name	dob	condition
p_01	dr.smith	Alex Rivera	1982-04-12	hypertension
p_02	dr.jones	mBk\|UTcQkcxABP+4UtNqkKsb5p==	mBk\|bvklgqmMZOacU/PRlEIRvY==	mBk\|xnR1nWZ1Q5WDWkgBmwtFzD==
p_03	dr.smith	Priya Patel	1971-07-22	hypertension
p_04	dr.jones	mBk\|HxDQvhXkWvyqgOXzMGj0KJ==	mBk\|qebLIPw3PE0xhoCIIpws+s==	mBk\|n1lyQbKU5a4ufkh/1u+pqh==
p_05	dr.jones	mBk\|Ddu9nPfKsxRqpn8KygaZ0u==	mBk\|B4OU8aZENJvYsOQc0LOjUE==	mBk\|CwvoLxj7Obe6+xZ2zzABNN==

Every value carries a decryption policy. Decryption happens after the query, after the API response, after the agent tool call. The rules are enforced in the data, not configured in the perimeter.

/ENCRYPTION

Searchable field-level encryption.

Range queries, exact match, and free-text fuzzy search over encrypted fields, with sub-millisecond overhead on existing Postgres indexes. Works with any managed Postgres provider. No new database, no migration, no superuser access.

This removes the constraint that made plaintext storage unavoidable. Everything else in CipherStash depends on this.

Range, fuzzy text, and JSON queries over ciphertext
Works with existing Postgres indexes
<1ms query overhead
100,000x faster than fully homomorphic encryption
Quantum safe

ENCRYPTION →

/SELECTIVE-DISCLOSURE

Value-level access control.

Faster, simpler, and more reliable than row-level security. Every encrypted value carries a policy: who is authorised to read it, under what conditions. The decision happens at decryption, after the query, after the API response, after the agent tool call.

A user decrypts their own records. An agent decrypts only what the requesting user is authorised to see. An attacker with the agent's credentials decrypts nothing.

Per-value access policy
Enforced at decryption, wherever the data goes
Escalation workflows for sensitive access
Agent-safe by design

/KEY-MANAGEMENT

14x faster key management.

Latency so low that your users never notice. At scale, AWS KMS can’t deliver the performance required for per-value encryption—making it impractical and slow. ZeroKMS is 14x faster, with keys derived on demand (never stored) and identity and policy woven into every key.

This is what makes 'encrypt every field' deployable.

14x the performance of AWS KMS
Keys derived on demand, never stored
Identity and policy baked into every key
9 global regions

ZEROKMS →

/SECRETS (COMING SOON)

Secrets without the .env.

Every secret encrypted at the field level. Accessible only to the right identity, at the right time. Cryptographically isolated environments. Full audit trail.

Never accidentally leak a secret again.

Type-safe SDK
Cryptographically isolated environments
CLI management
Full audit trail

JOIN THE WAITLIST →

§ 03·0x03/CRYPTOGRAPHIC AUDIT TRAIL

Every access event. Cryptographically proven.

Every decryption recorded: who, what, when, from where, in what context. On by default. Immutable by construction.

Cryptographic audit trails give continuous assurance. When a breach occurs or a compliance audit arrives, you have proof.

1B+

Operations in production

∞

Audit trail

HIPAA / SOC 2 / GDPR

Compliance

24/7

Continuous assurance

§ 04·0x04/HOW CipherStash IS STRUCTURED

Three primitives. Built to scale with usage, not headcount.

Data keys

The unit of encryption.

One data key is one encryption operation. Data keys are consumed when your application writes sensitive data, and only then.

Decryption is always free. CipherStash makes money when your infrastructure is encrypting data, not when you're reading it back. You are never charged to access your own data, run an audit, or leave. That is the pricing model.

Keysets

The unit of isolation.

A keyset is a cryptographically separated group of keys. A single-tenant app might use one. A multi-tenant SaaS provisions one per customer, with provable cryptographic separation, beyond policy enforcement. Separate environments, regulated workloads, distinct business units, each gets its own keyset.

Keysets scale with the complexity of your security architecture.

Clients

The unit of identity.

A client is any entity that interacts with CipherStash: a developer, an application instance, a CI/CD pipeline, a production service. Clients are how your team grants and revokes access to keysets, and how CipherStash knows who, or what, is behind every encryption and decryption call.

Every developer is a client. Every application is a client. Every agent is a client.

§ 05·0x05/WORKS IN YOUR STACK

Up and running in 15 minutes.

Works with any managed Postgres provider. Plugins for Drizzle and Prisma. Connectors for Auth0 and Clerk. Open-source SDKs starting with TypeScript, expanding to every major language.

F∗@! your vault. Keep it in your stack.

SUPABASE · NEON · PLANETSCALE · CRUNCHY · VERCEL · NILE · TIGER · PRISMA · DRIZZLE · AUTH0 · CLERK

§ 06·0x06/BUILT FOR POST-PERIMETER THREATS

One infrastructure layer. Every sensitive data problem.

AI & Agentic Security

When an agent is compromised, its blast radius is your application's database permissions. DLAC limits that radius to zero. Agents return only what the requesting user's identity can decrypt. Prompt injection still executes. Exfiltration doesn't.

Data Security & Privacy

Protect sensitive fields with value-level encryption. Zero-knowledge architecture means CipherStash never sees your keys or plaintext. A breach yields ciphertext. Nothing useful.

Cryptographic Multitenancy

Provision a keyset per customer. Each tenant's records encrypted under a key derived from their identity, decryptable only by a caller presenting the same identity. Provable isolation at the encryption layer.

Access Intelligence

Every access event logged: who, what, when, and how. Cryptographic audit trails give continuous assurance, not point-in-time snapshots that age out the moment an agent rewrites a query.

Data Sovereignty

Keys in your region. Data in your database. Dual-party key splits for government and high-security requirements. Control that survives a cloud provider incident.

§ 07·0x07/IN PRODUCTION

Built on by teams that can't get this wrong.

CipherStash enabled us to achieve the same stringent level of encryption without needing to implement custom envelope encryption using AWS KMS or similar technologies.

JOURNALIA · HEALTH TECH

READ CASE STUDY →

With CipherStash, we were able to implement end-to-end encryption while maintaining full search functionality across our entire platform.

BNDRY · FINANCIAL SERVICES

READ CASE STUDY →

1B+

Encryption ops in production

14x

Faster than AWS KMS

<1ms

Query overhead

SOC 2 TYPE II

Certified

Code is rewritable.
Ciphertext isn't.

Integrate CipherStash into your stack and encrypt your first fields in 15 minutes. Or talk to our team about production architecture.

START BUILDING TALK TO THE TEAM