— 01
Per-tenant envelope keys
Each org has its own KEK in your KMS or ours. Data keys are wrapped by it. Forking a tenant is a key-derivation, not a data migration.
Encrypted at rest.
Encrypted in your head.
Per-tenant keys, declarative access, full audit. We never see the plaintext — and neither should the wrong user.
VAULT · ROW-LEVEL ENCRYPTEDtenant acmeobjects 284last access 17:41
OBJ_01HZX9 · CONFIDENTIAL⚿
acme · MSA · 2026.pdf
A8F2 4B91 E6CD 7012 9F4A 33B7 D5E8 1C0F 8E3A 7B62 4D9F 1A05 C8B3 E2F7 7C13 9A2E 4F8B D061 5E29 8B7A C4F1 0D93 2E5A 9F18 6B27 E0C4 71AD F38B 3D90 E5F1 B274 8A6C 0E1F 9B23 C7D4 5A82 F4E0 1C39 7B6A 2E5D 8F90 4C12 A8F2 4B91 E6CD 7012 9F4A 33B7 D5E8 1C0F 8E3A 7B62 4D9F 1A05 C8B3 E2F7
DEK
key_acme_v3
KMS
aws · us-east-1
ALG
AES-256-GCM
ROTATE
90d
tenant_acmeâš¿
w9-vendor.pdf
7C13 9A2E 4F8B D061 5E29 8B7A C4F1 0D93 …
tenant_contosoâš¿
soc2-evidence.zip
3D90 E5F1 B274 8A6C 0E1F 9B23 C7D4 5A82 …
tenant_pinpointâš¿
phi · 2026q1.csv
A8F2 4B91 E6CD 7012 9F4A 33B7 D5E8 1C0F …
tenant_lumenâš¿
api-secrets.env
7C13 9A2E 4F8B D061 5E29 8B7A C4F1 0D93 …
KEYRING · KMSHSM
âš¿
key_acme_v3
AES-256 · wrapped · aws-kms
14d
âš¿
key_contoso_v2
AES-256 · wrapped · aws-kms
31d
âš¿
key_pinpoint_v5
AES-256 · cmk · BYOK
8d
âš¿
key_lumen_v1
AES-256 · wrapped · aws-kms
62d
RECENT ACCESS
17:41val@acme read obj_01HZX9
17:38key rotation · key_acme v2→v3
16:24rod@acme upload · 1 obj
15:02policy denied · support → tenant_pinpoint
The shape
Storage built on top of the same session, tenant, role, policy primitives you're already using.
Every B2B product accumulates files that belong to one customer and only that customer — contracts, exports, certificates, payroll. Locker stores them with the same scope rules you wrote for everything else.
— 02
Policy, not access lists
Declarative who-can-open rules — by role, MFA freshness, geo, time. Audit-friendly, diff-reviewable.
— 03
Zero-trust by default
Authaz never holds the plaintext. The data path is client → DEK → KMS-wrapped → object store. We see ciphertext.
The mechanics
Encrypted on the way in. Audited on the way out.
— 01
Envelope encryption, end to end.
Every object gets its own data encryption key. The DEK is wrapped by the tenant's KEK in your KMS (or ours). We store ciphertext + a wrapped key — nothing else.
- AES-256-GCM payload · per-chunk auth tag
- wrap with AWS KMS, GCP KMS, Azure Key Vault, or BYOK
- rotate KEKs without re-uploading data
CLIENTfile picked · streamed in chunks4 mb chunks
↓
DEKdata key generatedaes-256-gcm
↓
WRAPDEK wrapped by org KEKkms · hsm
↓
STOREciphertext · object store · per-tenant prefixs3 · gcs · azure
authaz never sees the plaintext · ever
— 02
Access policies your auditor can read.
Same engine as Authaz RBAC. Grant by role, require MFA, deny by geo, expire after inactivity. Policies live next to the data; tenants can add their own without touching your code.
- role + ABAC + MFA-freshness conditions
- TTL grants · time-boxed shares
- tenant-scoped — admins see only their org
// who can open what — declarative
access "contracts/*" {
grant role "legal"
grant role "admin" requires mfa "webauthn"
expires "30d" after last_open
}
access "payroll/*" {
grant role "hr-admin" requires step_up
deny if request.geo not_in ["US"]
audit open · download · share
}
— 03
Every open. Every share. Every deny.
Each access decision streams to your audit log. Buyers can subscribe to their own tenant's feed. Compliance teams get the export they ask for, automatically.
- streamed to S3 · Datadog · Splunk
- tenant-scoped views for buyers
- tamper-evident · per-event signature
09:14val@acme.comopened msa-northwind-2026.pdfallow
09:12jess@acme.comshared soc2.pdf · 7d ttlallow
09:08rod@acme.comattempted q4-payroll.csvdeny
09:02val@acme.comuploaded wire-instructions.txtallow
08:51admin@acme.comrotated org KEK · v3 → v4allow
API
Same surface as the rest of Authaz.
Your scope handle, the path, the data. Policy by reference. We do the rest.
app/contracts/upload.tse2e encrypted
await authaz.locker.put({
org_id: session.org,
path: "contracts/msa-northwind-2026.pdf",
data: file.stream(),
policy: "contracts/*",
labels: ["legal", "signed"],
});
Spec
The fine print, up front.
Encryption
AES-256-GCM · per-chunk auth · per-object DEK · KMS-wrapped
KMS support
AWS KMS · GCP KMS · Azure Key Vault · BYOK · HSM-backed enterprise
Key rotation
KEK rotation in place · DEK lazily re-wrapped · zero downtime
Storage backends
S3 · GCS · Azure Blob · per-tenant residency pinning
Access policy
roles · ABAC · MFA-freshness · geo · time · TTL grants
Audit
every put · get · share · deny · streamed · tamper-evident
Compliance
SOC 2 · ISO 27001 · HIPAA-eligible · GDPR-ready
Pricing model
per-GB-month · no charge for ciphertext duplication
Pairs with
One platform. Every primitive.
Every Authaz product shares the same primitives — sessions, policies, audit, tenants. Pick what you need today; add the rest when you do.
01 · MULTI-TENANT ORGANIZATIONS
Multi-tenant Organizations
Model organizations, members, and tenant boundaries cleanly.
Read more →
02 · RBAC & PERMISSIONS
RBAC & Permissions
Role-based access controls for customer and admin surfaces.
Read more →
03 · ADMIN & DASHBOARD ACCESS
Admin & Dashboard Access
Authentication that works for back-office and internal tools.
Read more →
Get started
Tenant-scoped data. Tenant-scoped keys.
Encrypted document storage that fits your auth model — not the other way around.