BYOK includes a number of security features:
| Security Feature | Description |
| Encryption assurance | Our encryption infrastructure includes a key manager appliance certified to FIPS 140-2 Level 3. An embedded Hardware Security Module (HSM) provides the Roots of Trust (RoT). All data is encrypted using the AES (256-bit) algorithm. |
| Encryption Infrastructure | You can use our encryption infrastructure to manage an encryption key lifecycle for your assets. It provides data confidentiality and protection of keying material that satisfies the NIST SP 800-175B specification. If you prefer, you can upload compatible keys generated from an external crypto management application. |
| Data encryption and access control | Data encryption and access control is achieved through a kernel file protection driver installed on the application server. |
| Separation of duties | BYOK supports a strong separation of duties policy. Key management is the sole responsibility of the Encryption Administrator and separated from other administrative roles at the tenant and workspace levels. With BYOK, no single administrator has complete control over data protection activities. |
| Customer controlled encryption and key management | You control your keys and the associated key lifecycle directly in Administration. No Anaplan employees, or non-Encryption Administrators within your organization, have access to your keys and encrypted model data. |
| Transparent encryption | While protecting all of the data in an encrypted model, the data encryption isn't visible by end users. This reduces complexity and cost. |
| Geo-legal sensitivity | BYOK enables you to store your keys and encrypted data in line with your specific geo-legal requirements. This is subject to approval. |
| Compliance reporting | Compliance reporting provides detail on encryption, key management, and access policy actions, by user and time. The log records every user and process that attempts to access the encryption protection data, whether successful or not. |
