SaaS Shield

Add application-layer encryption, data controls, and data transparency to your cloud app.

Application security encryption platform that protects your data

Reduce risk by protecting data at the application layer

Application-layer encryption (ALE) provides strong protection against breaches, creates robust access controls, and doesn’t limit data usability when combined with Cloaked Search.

Scale up customer-managed keys for enterprise customers

If you’re moving upmarket to sell to enterprise customers or currently have enterprise customers who want advanced security features, CMK is a must-have. Smoothly launch your new CMK product with SaaS Shield.

Use technical solutions to comply with murky regulations

There’s a lot of confusion surrounding U.S. companies and their ability to hold EU personal data and PII. SaaS Shield helps you comply with ever-changing regulations so you can confidently operate within the EU.

Safeguard your data with developer-proof cryptography

Developers aren’t cryptographers, and they don’t need to be. Get things right from the start with an encryption solution built by experts in cryptography and secure product design.

The Business Case

Good for your customers and great for your business

Offering advanced encryption and security options will help you sell into new markets, to larger companies, and will help you diffentiate from your toughest competitors. In most cases, you'll be able to charge more for the premium levels of privacy and security, which means your investment comes back with interest.

Developer friendly

Built for easy integration and quick adoption

  • Sample code and examples
  • Versioned API changes
  • Zero crypto decisions
  • Powerful tooling
  • Fast performance
  • Low resource usage
  • Massive scalability
  • Configuration-driven
Explore the docs
const document = { ssn: Buffer.from("000-12-2345", "utf-8"), address: Buffer.from("2825-519 Stone Creek Rd, Bozeman, MT 59715", "utf-8"), name: Buffer.from("Jim Bridger", "utf-8"), }; client.encrypt(document, metadata).then((encrypted) => { const edek = encrypted.edek; const encryptedFields = encrypted.encryptedDocument; // Store both edek and fields in your persistence layer });
Map<String, byte[]> document = new HashMap<>(); document.put("ssn", "000-12-2345".getBytes("UTF-8")); document.put("address", "2825-519 Stone Creek Rd, Bozeman, MT 59715".getBytes("UTF-8")); document.put("name", "Jim Bridger".getBytes("UTF-8")); client.encrypt(document, metadata).thenCompose(encrypted -> { String edek = encrypted.getEdek(); Map<String, byte[]> fields = encrypted.getEncryptedFields(); //Store both edek and fields in your persistence layer })
$document = [ "ssn" => new Bytes("000-12-2345"), "address" => new Bytes("2825-519 Stone Creek Rd, Bozeman, MT 59715"), "name" => new Bytes("Jim Bridger") ]; $encrypted = $client->encrypt($document, $metadata); $edek = $encrypted->getEdek(); $encryptedFields = $encrypted->getEncryptedFields(); // Store both edek and fields in your persistence layer
document := tsc.PlaintextDocument{ "ssn": []byte("000-12-2345"), "address": []byte("2825-519 Stone Creek Rd, Bozeman, MT 59715"), "name": []byte("Jim Bridger"), } encrypted, err := tenantSecurityClient.Encrypt(ctx, document, &metadata) edek := encrypted.Edek encryptedFields := encrypted.EncryptedFields // Store both edek and fields in your persistence layer


Be crypto-agile and ready for post-quantum crypto

Allows per-data segment choices on encrypted data that can change and evolve over time with efficient ways to re-key data when necessary. And you can be post-quantum ready today.

Read more

Works everywhere

Integrates with almost any cloud environment and data store

SaaS Shield separates the concern of where the KMS is located from where the data is hosted. Developer tooling allows simple code-level integration before store and after fetch, which means where you store the data is your concern. And IronCore Labs' Amazon S3 encryption proxy and Cloaked Search proxy allow for turnkey drop-in solutions with no code.

Private by design

Meet the strictest data privacy laws including post-Schrems II handling of EU personal data by U.S. companies

Most privacy laws require privacy and security by design and strong protections of data, but the EU has taken that even further by making sure that any law enforcement or government access to data has to go through channels designed to protect the targets. Customer-held encryption keys can be used to solve this problem.

Read more
ConfigurationBrokerClient LibraryApplicationTenantSecurity ProxyZero-trust configuration storeCustomer KMS / HSMCustomer SIEMAWSAzureGCPStackDriverSplunkLogRhythmWeb Browser (Admin)End-to-end Encryption

How it works

Architected so IronCore Labs never sees sensitive data or keys

Data is encrypted and decrypted either in the proxy (like the S3 proxy) or in the SDK inside your application. Key management is handled in the Tenant Security Proxy docker container, which lives in your infrastructure and scales horizontally. Its job is to interact with one or more KMSes and keep secrets and sensitive configuration data safe.

Finally, the Configuration Broker is a cloud service that guides you or your customers through setting up and integrating KMSes and audit trail targets. The configuration data it receives is end-to-end encrypted and can’t be read by anyone at IronCore Labs.

Getting started

Integration and deployment is straightforward

Some of our biggest customers were asking for advanced privacy features to better secure their data. We knew that to meet those needs, and meet them quickly, we would need to partner with someone who lives and breathes data privacy and security, and that's what we found in IronCore Labs.
─ Michele Kubicek
     Product Management Manager, Broadcom

Key features

All the advanced security features your customers want

Advanced encryption

Application-layer encryption keeps data safe from breaches

Data isolation

Per-tenant keys make wholesale database scraping difficult

Audit trails

Real-time streams of audit trails and security logs directly to customers


Customers gain control of their data by holding their own keys

KMS freedom

Flexibility to store the key and data separately even cross-cloud


Rotate algorithms, key sizes, KMSes, and more

BYO storage

Bring your own storage - anything works

Data-in-use encryption

Exact matches with deterministic encryption or integrate with Cloaked AI and Cloaked Search

Data residency

Restrict decryption to specific regions or cloud environments by data segment

Meaningful AppSec

Don’t just talk about how well the data is protected; really protect it

Ask yourself what would happen if a hacker got into your network or if there was a flaw in your application that let attackers query your database unconstrained. Now ask yourself what you can do about it. If you encrypt the data properly, then in most scenarios, the bad guys walk away with data they can’t decrypt.

This is your missing security layer.

Read more

Key orchestration

We handle the difficulties of key management for you

We support key leasing to keep down KMS costs and to make systems more resilient to network problems. We handle key rotation, efficient ways to re-key data, data segmentation, algorithm independence (crypto-agility), key-size agility, and we help you and your customers be cloud-independent. You can separate key storage from your provider (ie, keys in GCP, data in AWS), and there’s no lock-in.

Read more

KMS Integrations

Works with the most popular key management servers

Each segment of data can have a different master key. A segment of data can be a tenant in a B2B SaaS multi-tenant system. Or a segment can be the home country or region of a person whose PII is encrypted. A different key can be used for each segment, and each key can optionally live in a different KMS.

KMSes are each independent of each other and may be run by different companies, operated in different regions, backed by different HSMs, or even run on-prem.

This KMS flexibility allows software and services to offer customer-held encryption keys and to offer data sovereignty even if the encrypted data is globally replicated. These are the tools needed to meet data privacy and data sovereignty laws around the world.

Supported KMS integrations include:

SaaS Shield gives you ultimate flexibility in key management, streamlining compliance with global laws and regulations.

Thales Verified Partner Logo GCP Logo GCP Logo GCP Logo

Infographic eBook on BYOK

This informative PDF visually explains BYOK and key concepts around it including decision points and trade-offs. Suitable for technical and business-level understanding of the popular security feature.

Compare Approaches

Hold keys for your customers or let them hold their own

Customer managed keys (CMK) is in high demand by some customers of cloud applications and infrastructure. It gives the customer varying degrees of control over their data even as that data is stored with a third party.

Application-layer encryption

Unless the data is application-layer encrypted, the actual data protection added is dubious.

Best of breed

The best solutions combine customer-held encryption keys with application-layer encryption.

Customer-held keys

Some CMK patterns ask the customer to generate a key and then to upload it to the provider, but that degrades the amount of control that the customer receives. When they hold the keys, they can revoke access to their data and track how it’s used.

With SaaS Shield, you let your customer decide if they want to hold their own keys while giving them the most meaningful data protection you can, short of end-to-end encryption.

Low-level EncryptionApp-level EncryptionCustomer-held KeyVendor-held KeyMoreProtectionMoreControlHigh control butlow protectionHigh protection butlow controlLow customer controland data protectionHigh customer control​and data protection

Configuration Broker

KMS connection information is end-to-end encrypted

The configuration broker provides wizards to help customers navigate their way through setting up a KMS and any other advanced security elements they want to configure. The information they enter is end-to-end encrypted so that IronCore Labs can never read the details of how to connect to their KMS.

Read a blog on how to verify that yourself and/or watch a short demo of Configuration Broker in action:

Play: Play: Config Broker Demo

Learn more

We're here to help with questions

Though we aren’t a services company, we frequently assist customers with design, architecture, and advice on how to approach adding advanced encryption into already complex enterprise applications. We have deep experience with enterprise cloud systems, cryptography, and privacy. We’d love to hear from you either online through one of our community platforms or more directly.