Skip to main content

Encryption & Tokenization

Table of сontents

InCountry Data Residency-as-a-Service uses the industry-standard encryption algorithm - AES in the GCM mode with 256-bit long keys. All the symmetric encryption keys are stored in InCountry’s key vault. The key vault meets all high industry standards and provides secure storage of encryption keys.

Custom encryption algorithms are not supported when using REST API and Web Services Border directly.

Data encryption is performed inside the dedicated component you use (this can be REST API, Border, or PoP API operating in the SSE mode).

This applies to data encryption only and does not cover data communication (e.g. HTTPS connection). All InCountry components (such as REST API and Border) encrypt data provided to them by customer’s applications.

Data decryption is performed in a similar manner to data encryption but in the reverse direction.

InCountry Data Residency-as-a-Service supports the following encryption levels:

  1. Data-level encryption: symmetric. Encryption keys are passed to the component directly and fetched by REST API, Border, or PoP API from the key vault.

  2. HTTP-request level encryption: JWT-token encryption/signature used by the InCountry Data Residency for Salesforce package and REST API (adding PoP API in the nearest future).

Encryption of data in transit

The InCountry platform secures data in transit in the following way:

  1. HTTP-level encryption: mutual TLS, when it is required to establish a secure communication tunnel between a client application and the InCountry platform (REST API). This is implemented through certificates that are stored in the key vault and configured at the web-server level of the application, rather than in the application itself (REST API).

  2. HTTPS data communication: all data communications between components of the InCountry platform (including data in transit) use the HTTPS protocol and TLS 1.3 by default.

How is data hashing performed when using the InCountry Data Residency for Salesforce package?

The InCountry platform uses the industry-standard SHA-256 hashing algorithm for all supported fields. The Salesforce administrator can choose the appropriate content-aware hash function to preserve the data pattern when saving the hashed value to the Salesforce database. If needed, the Salesforce administrator can use the fixed hash function that produces a hashed value according to the pre-defined pattern.

The InCountry Data Residency for Salesforce package does not perform the encryption or hashing of records. The package passes a regulated data record to REST API that encrypts and hashes the record’s values using the SDK. Hashed values are stored in the Salesforce database, the InCountry platform stores both hashed and encrypted clear-text values to support the exact-match search.


In the replication data regulation model, clear-text values are saved to the Salesforce database after saving a primary copy of the record on the InCountry platform.

How do encryption and decryption occur for custom resident functions working on regulated data?

When a resident function is executed the following process is performed:

A resident function instantiates the Storage class (from the Node.js SDK) with OAuth credentials created on InCountry Portal and issued after the service creation. This Storage instance is passed inside the resident function and the user performs the required operation with it.

Encryption and decryption of records are performed at the REST API side within an additional container. Records are stored in the InCountry Vault. The client application gets results of the resident function execution as a response body of the HTTP request. The output provided by the resident function depends on what is implemented within its code.

BYOK support

InCountry platform supports AWS KMS. For the details on BYOK support, please check our documentation.

Encryption key management

Management of encryption keys is performed on the InCountry Portal. It generates a separate encryption key for each activated country within an environment. For the details on management of encryption keys, please check our documentation.

The InCountry Portal supports the automatic rotation of encryption keys according to the configured rotation period.

Tokenization and Hashing

InCountry DRaaS provides the Border service which supports a variety of redaction algorithms that you can use to anonymize data and adjust the patterns for outputted values so they will not break your application backend validations.

For the details, please see documentation for unredaction rules.

InCountry REST API also provides the endpoints that returns the tokenized values for the record stored in the InCountry Vault. Please check the REST API documentation for details.