Every claim below has a verifiable artifact behind it. No marketing fluff in this section — that's the point.
Encryption and decryption execute inside the SDK, on your infrastructure. VellumGuard's servers see public keys and ciphertext metadata for the audit trail — never the data itself. This is a structural property, not a promise.
Each ciphertext is sealed with a classical scheme and a post-quantum scheme. A break in either leaves the other standing. You are never worse off than today's best-practice cryptography.
ML-KEM-768 (FIPS 203) and ML-DSA-65 (FIPS 204) at NIST Level 3. No experimental or pre-standardization schemes in the default suite.
VellumGuard composes well-reviewed, open cryptographic implementations. There is no home-grown cryptography in the stack — deliberately the boring choice.
DEKs (data-encryption keys) are wrapped by Google Cloud KMS. The raw DEK is held in process memory only — never written to disk or logs. Identity private key blobs are stored in wrapped, AES-256-GCM-encrypted form only.
The wire format is published with reference test vectors. If VellumGuard ever disappeared, your data would remain decryptable with any conforming tool.
Each workspace uses a separate, revocable API key. Keys are stored as one-way hashes. Identity-scoped authorization allows per-key allow-lists for fine-grained access control.
Every authorization decision, key lifecycle operation (promote, rewrap, retire), and SDK call is recorded in a queryable security-events table. Rate limiting is enforced and recorded. Startup key-unwrap is confirmed per instance.
Honest scoping is part of a trustworthy security product. VellumGuard is explicit about its boundaries.
For the complete model, including the key hierarchy and rotation policy, see the ciphertext format documentation.
VellumGuard is beta / design-partner ready. The table below reflects the current state — not the roadmap.
Do not use VellumGuard for regulated production PHI, PCI card data, or similarly regulated data without a separate written data-handling agreement. Contact beta@vellumguard.com to discuss your specific use case.
We welcome coordinated disclosure from security researchers. Reports go straight to the team.