What Enclave does
Enclave gives your team a secure space to share files, collaborate on documents, and manage sensitive data — without trusting the platform to protect it. The encryption guarantee is architectural, not contractual.How it works
User uploads a file
The Enclave client generates a unique DEK (data encryption key) for the file using a cryptographically secure random number generator.
Client-side encryption
The file is encrypted with AES-256-GCM using the DEK before any data leaves the user’s device.
Key wrapping
The DEK is wrapped (encrypted) using the room’s KEK (key encryption key), which is derived from your KMS or HSM.
Ciphertext upload
Only ciphertext reaches the Enclave server. The server stores encrypted blobs — it cannot read them.
Key capabilities
| Capability | Detail |
|---|---|
| Encryption | AES-256-GCM, client-side |
| Key management | BYOK, HYOK, HSM (Thales, AWS, Azure, GCP) |
| Access control | Org Unit membership + clearance levels |
| Audit logs | Append-only, cryptographically signed |
| Deployment | SaaS, VPC, on-premise, air-gapped |
| Compliance | SOC 2 Type II, ISO 27001, GDPR, HIPAA |
What Quelden cannot do
- Read your files — we never hold unwrapped KEKs
- Modify your audit logs — entries are cryptographically signed
- Grant access to your rooms — access is enforced by key material, not policy alone
- Comply with decryption orders — we have nothing to hand over
This is the architectural guarantee, not a terms-of-service promise. The cryptographic design enforces it.