Does amaise support customer-owned encryption keys (BYOK/CMK)?
Yes. Each tenant in amaise receives a dedicated AES-256 KMS key for encrypting their customer data in S3, with automatic annual rotation.
A compliance service monitors the entire lifecycle of the keys — it ensures that active tenants have an active CMK and that when a tenant is deleted, the associated key is decommissioned within the window defined by AWS KMS guidance.
For customers with special data sovereignty requirements, amaise offers Bring-Your-Own-Key (BYOK) on request in two variants: a customer-owned KMS key from the customer's own AWS account, or an external HSM via AWS External Key Store (XKS) with Securosys in Switzerland for CLOUD-Act-resistant Swiss sovereignty. Contact us at [email protected] for details.