Field Guide

Application-Level Encryption for SaaS Products

How teams can add encryption, workspace isolation, and key lifecycle management to a SaaS product without building the key-management infrastructure from scratch.

The problem

Most SaaS products use shared infrastructure. Tenant data lives in the same database. Access controls happen at the application layer — your code enforces who sees what. Application-layer encryption adds a cryptographic guarantee: even within the same database, one tenant's data cannot be read without the right key.

Key management is where most teams stop. Where do keys live? How do you rotate them? What happens when a customer offboards? What if someone asks you to prove that tenant A cannot access tenant B's data? Building this correctly takes months and requires cryptographic knowledge most product teams do not have — and should not need.

Post-quantum is a secondary concern today, but a real one: when security questionnaires start asking about your post-quantum roadmap, having a concrete implementation matters more than a roadmap slide. Starting now means the question is already answered when it arrives.

Example workflow

A B2B SaaS product assigns each customer a workspace. Documents uploaded to a workspace are encrypted before storage with workspace-specific key material. An admin API key for workspace A cannot decrypt documents from workspace B. When a customer churns, their workspace key is rotated and old keys are retired. When a security questionnaire asks about encryption, the team points to a real implementation — not a backlog item.

Where VellumGuard fits

  • Workspace-per-tenant isolation: separate key material per customer
  • TypeScript SDK that integrates with a Node/TypeScript backend without custom crypto code
  • Hybrid post-quantum encryption by default (X25519 + ML-KEM-768) so you are not behind when post-quantum becomes a procurement requirement
  • Audit events for every encrypt, decrypt, promote, rewrap, and retire operation
  • Key rotation lifecycle that does not require re-engineering your storage layer
  • Identity-scoped authorization so individual users have individual encryption identities

What teams can test in beta

  • Workspace-per-tenant key isolation with test data
  • Encryption and decryption latency at your typical payload sizes
  • The full key rotation lifecycle for a tenant workspace
  • Using audit event output to answer a simulated security questionnaire
  • SDK integration effort against your existing application framework

What VellumGuard does not replace

VellumGuard handles application-layer encryption and key management. It does not replace:

  • Identity and access management (who can log in, session management, role assignments)
  • Network security and infrastructure controls
  • Infrastructure-layer encryption at rest and in transit
  • SOC 2, ISO 27001, or other compliance certifications
  • Vendor security reviews your enterprise customers require

Not currently SOC 2 certified. Not currently HIPAA compliant. No BAA is currently available. No formal SLA during beta. Manual onboarding only — no self-serve portal or dashboard.

Request design partner access

If you are building a SaaS product and want to add post-quantum application-layer encryption in a controlled beta environment, apply for design partner access. Beta is free unless otherwise agreed in writing.

Apply for access →

Questions? Email beta@vellumguard.com or browse other field guides.