Security & Data Protection

End-to-End Encryption

All credentials are encrypted the moment you submit them. This encryption is applied on the client side (in your browser), meaning credentials are never transmitted in plaintext over the network. Once received by Cakewalk, encrypted credentials are stored in encrypted, company-specific databases—each customer has a dedicated and isolated database that remains encrypted both at rest and in transit.

Just-in-Time Decryption

Credentials are only decrypted at the moment they are used to execute a provisioning task—never before, never after.

• Decryption occurs only in memory, within a secure, isolated runtime.

• All decryption is managed through Amazon KMS, which ensures audit logs are created for every decryption event.

• No credentials are ever written or logged in plaintext.

• As soon as a job completes, decrypted values are discarded from memory.

Controlled Execution Environment

Cakewalk uses separate internal components to:

• Handle encryption and credential storage

• Execute provisioning jobs using decrypted credentials

This separation of responsibilities ensures that no single system has full access to both encrypted credentials and the keys needed to decrypt them.

Time-Bound Access

When an access token or key is needed to complete a provisioning task, Cakewalk enforces strict time limits for its usage. This further limits the attack surface and prevents long-lived credentials from being misused.