Rooms
A Room is the primary unit of collaboration in Enclave. Think of it as a secure, encrypted folder with its own membership list, access controls, and audit trail. Every file inside a room is encrypted with the room’s data encryption key (DEK). Members are granted access by having the DEK wrapped with their public key — they can decrypt files only if they hold the corresponding private key. Learn more about Rooms →Encryption model
Enclave uses a hybrid encryption scheme:- File encryption — each file is encrypted with a unique DEK using AES-256-GCM on the client before upload.
- Key wrapping — the DEK is wrapped (encrypted) with the room’s key encryption key (KEK).
- KEK management — the KEK is protected by your KMS or HSM. Quelden never has access to unwrapped KEKs.
Key management
| Mode | Who holds the master key | Quelden can decrypt? |
|---|---|---|
| Quelden-managed | Quelden HSM | No — HSM enforces policy |
| BYOK (AWS/Azure/GCP KMS) | Your cloud account | No |
| HYOK (on-prem HSM) | Your data centre | No |
Organisations and Org Units
Your Organisation is the top-level tenant in Enclave. Within it you create Org Units — logical groupings that mirror your structure (teams, departments, subsidiaries). Room access is granted at the Org Unit level. A user must be a member of the Org Unit that owns a room to access it. Learn more about Org Units →Clearance levels
Enclave supports classification-based access control orthogonal to room membership:| Level | Label | Default for |
|---|---|---|
| C1 | Public sensitivity | — |
| C2 | Internal | Members |
| C3 | Confidential | Department Admins |
| C4 | Restricted | Owners, Domain Admins, Security Officers |