Empuls centralizes all encryption key management through AWS Key Management Service (KMS), enforcing per-tenant key isolation and full lifecycle governance aligned with ISO/IEC 27001:2022, ISO/IEC 11770, and NIST SP 800-57.
How Empuls Manages Encryption Keys
Encryption is only as strong as the key management behind it. Empuls uses AWS Key Management Service (KMS) as its centralized backbone for generating, storing, and rotating every encryption key used across the platform. This applies to both data at rest and data in transit, ensuring a single, auditable governance layer across all workloads. Every key in Empuls passes through a clearly defined lifecycle: creation, scheduled rotation, activation, deactivation, revocation, and secure destruction. Rotation is automated, so no key remains active beyond its intended period without explicit action. This eliminates a common gap in enterprise security posture — stale or forgotten cryptographic material that accumulates over time.Tenant Isolation and Access Restrictions
Multi-tenancy demands strict separation of key material, and Empuls enforces this by logically isolating encryption keys per tenant and per application. Customer keys are never accessible by Xoxoday Empuls staff without the customer’s explicit prior approval. Internally, only the Group CTO holds authorized access to customer key material, creating a narrow, auditable path that prevents unauthorized provider interaction. For organizations integrating Empuls with enterprise HR systems such as Workday, SAP SuccessFactors, or Darwinbox, this isolation is critical. Employee recognition data and reward transaction records exchanged across those integrations remain encrypted under keys that are scoped to the customer’s environment — not shared across the service provider’s infrastructure. The same boundary holds whether reward notifications surface inside Slack or Microsoft Teams.Secrets Management and Application-Level Credentials
Beyond encryption keys, Empuls uses AWS Secrets Manager to protect application-level configuration credentials, including API tokens, database connection strings, and integration secrets. This complements the KMS layer by ensuring that sensitive runtime configuration is never stored in plaintext within application settings or environment variables. Together, AWS KMS and AWS Secrets Manager form a unified secrets and cryptographic governance stack, reducing the attack surface at both the infrastructure and application tiers.Compliance Alignment
Empuls’s key management practices conform to ISO/IEC 11770 (key management standards), NIST SP 800-57 (key management recommendations), and ISO/IEC 27001:2022. These frameworks govern how keys are generated, handled, and retired throughout their useful life. For enterprise customers undergoing their own SOC 2 Type II or ISO 27001 audits, Empuls’s documented KMS controls provide verifiable evidence that their vendor’s cryptographic practices meet recognized global standards. Learn more: Empuls Help Centre — SOC / Security OperationsData Encryption at Rest in Empuls
How Empuls encrypts stored employee data, reward records, and PII using AES-256 and AWS-managed keys.
Data Encryption in Transit
How Empuls secures data moving between services, APIs, and integrations using TLS 1.2 and above.