Secrets use envelope encryption with AES-256-GCM, providing strong confidentiality and integrity.
Each project has a dedicated Data Encryption Key (DEK) wrapped by a root Key Encryption Key (KEK) managed by AWS KMS, creating strict
isolation boundaries.Secrets remain encrypted at rest and are only decrypted in-memory on dataplane machines running workflows
that requires those secrets, with all communication secured through mutual TLS (mTLS).