Data Protection

This page covers how Sovereign protects credentials, secures inter-service communication, and enforces license boundaries.

Credential Protection

Credentials for external service integrations (API keys, OAuth tokens) are encrypted at rest using industry-standard encryption:

Encryption at rest — all stored credentials and tokens are encrypted before being written to the database
Key rotation — encryption keys can be rotated without disrupting operations or re-encrypting existing credentials
Automated token refresh — OAuth tokens are refreshed automatically when they expire, with distributed locking to prevent race conditions in multi-instance deployments
Encrypted caching — tokens are cached in encrypted form to reduce database load while maintaining security

Key Management

For production deployments, use a dedicated key management service for your encryption master key. The Auth Service supports Azure Key Vault and HashiCorp Vault as key providers, in addition to environment variable configuration.

Message Queue Security

The message queue handles step dispatch between the Engine and Executor Workers:

Publisher confirms ensure message durability
Dead letter queues capture failed messages for inspection
Queue access is authenticated

Production TLS

The default Docker Compose configuration does not enable TLS for inter-service communication. For production deployments, configure TLS on the message queue and between all services.

License Enforcement

The licensing system provides an additional layer of control:

License validation occurs at dispatch time — unlicensed deployments cannot dispatch new steps
Feature gates control access to premium capabilities
In-flight steps complete normally when a license expires
Connected deployments maintain a heartbeat; air-gapped deployments validate offline

Next Steps

Security Overview — platform security posture and production checklist
Authorization & Compliance — RBAC, audit logging, and defense-grade authorization
Authentication Setup — configure your authentication mode

Credential Protection

Credentials for external service integrations (API keys, OAuth tokens) are encrypted at rest using industry-standard encryption:

Encryption at rest — all stored credentials and tokens are encrypted before being written to the database

Key rotation — encryption keys can be rotated without disrupting operations or re-encrypting existing credentials

Automated token refresh — OAuth tokens are refreshed automatically when they expire, with distributed locking to prevent race conditions in multi-instance deployments

Encrypted caching — tokens are cached in encrypted form to reduce database load while maintaining security

Key Management

Message Queue Security

The message queue handles step dispatch between the Engine and Executor Workers:

Publisher confirms ensure message durability

Dead letter queues capture failed messages for inspection

Queue access is authenticated

Production TLS

The default Docker Compose configuration does not enable TLS for inter-service communication. For production deployments, configure TLS on the message queue and between all services.

License Enforcement

The licensing system provides an additional layer of control:

License validation occurs at dispatch time — unlicensed deployments cannot dispatch new steps

Feature gates control access to premium capabilities

In-flight steps complete normally when a license expires

Connected deployments maintain a heartbeat; air-gapped deployments validate offline