# Security & Data Protection #### End-to-End Encryption All credentials are encrypted the moment you submit them. This encryption is applied on the client side (in your browser), meaning credentials are never transmitted in plaintext over the network. Once received by Cakewalk, encrypted credentials are stored in **encrypted, company-specific databases**—each customer has a **dedicated and isolated database** that remains encrypted both at rest and in transit. #### Just-in-Time Decryption Credentials are only decrypted **at the moment they are used** to execute a provisioning task—never before, never after. * Decryption occurs **only in memory**, within a secure, isolated runtime. * All decryption is managed through Amazon KMS, which ensures audit logs are created for every decryption event. * No credentials are ever written or logged in plaintext. * As soon as a job completes, decrypted values are discarded from memory. #### Controlled Execution Environment Cakewalk uses separate internal components to: * Handle encryption and credential storage * Execute provisioning jobs using decrypted credentials This **separation of responsibilities** ensures that no single system has full access to both encrypted credentials and the keys needed to decrypt them. #### Time-Bound Access When an access token or key is needed to complete a provisioning task, Cakewalk enforces strict time limits for its usage. This further limits the attack surface and prevents long-lived credentials from being misused. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getcakewalk.io/how-to-guides/auto-provisioning/how-it-works/security-and-data-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.