Your data, your keys. Not ours.
Financial data demands the highest standard of protection. Airtight goes beyond industry requirements with per-tenant encryption, cryptographic shredding, and zero-trust architecture.
AES-256
Encryption
Data Residency
AU, US, EU, GCC
Zero Trust
Architecture
Per-tenant encryption
Every organisation on Airtight gets its own encryption keys. This is not shared-key encryption where a breach exposes everyone. Your data is sealed in its own cryptographic envelope.
Data Encryption Keys (DEKs)
Each organisation gets a unique AES-256 DEK. Your financial data is encrypted at rest with this key. The DEK is wrapped by a master Key Encryption Key (KEK) and stored separately from your data.
Key rotation
Keys rotate automatically without re-encrypting existing data. New data uses the new key. Old data remains accessible through a key version chain. Zero downtime. Zero data loss.
Cryptographic shredding
When you delete your account, we destroy your encryption keys. The data becomes permanently unreadable — even by us, even with a court order. This is cryptographic deletion, not file deletion.
Bring Your Own Key (BYOK)
Enterprise customers can supply their own encryption keys managed through their cloud KMS (AWS KMS, Azure Key Vault, Google Cloud KMS). You hold the keys. Literally.
Infrastructure & architecture
Zero-trust network
Every request is authenticated and authorised, regardless of origin. No implicit trust based on network location. mTLS between all services. API gateway with rate limiting and threat detection.
Data residency
Choose where your data lives: Australia, United States, European Union, or GCC. Data never leaves your chosen region. Compliant with GDPR, Australian Privacy Act, and DIFC data protection regulations.
Encryption in transit
TLS 1.3 enforced on all connections. HSTS headers with minimum one-year max-age. Certificate pinning on mobile applications. No fallback to older protocols.
Penetration testing
Annual third-party penetration testing with results summary available on request. Continuous automated vulnerability scanning. Bug bounty program (launching Q3 2026).
Backup & disaster recovery
Automated hourly backups with point-in-time recovery. Cross-region replication for disaster recovery. Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour.
Uptime commitment
99.9% uptime SLA for Business and Professional plans. 99.99% uptime SLA for Enterprise. Transparent status page with real-time incident reporting.
Compliance roadmap
We are building toward the highest industry standards. Here is where we stand.
GDPR
Compliant
Target: Current
Australian Privacy Act
Compliant
Target: Current
PCI-DSS
Via payment processor
Target: Current
SOC 2 Type II
Audit preparation underway
Target: Q4 2026
ISO 27001
On certification roadmap
Target: Q1 2027
DIFC Data Protection
On certification roadmap
Target: Q2 2027
Security questions? We have answers.
Our security team is available to discuss your requirements, provide documentation, and walk through our architecture.