BYOK includes a number of security features:

Security FeatureDescription
Encryption assuranceOur encryption infrastructure includes a key manager appliance certified to FIPS 140-2 Level 3. An embedded Hardware Security Module (HSM) provides the Roots of Trust (RoT). All data is encrypted using the AES (256-bit) algorithm.
Encryption InfrastructureYou can use our encryption infrastructure to manage an encryption key lifecycle for your assets. It provides data confidentiality and protection of keying material that satisfies the NIST SP 800-175B specification. If you prefer, you can upload compatible keys generated from an external crypto management application.
Data encryption and access controlData encryption and access control is achieved through a kernel file protection driver installed on the application server.
Separation of dutiesBYOK supports a strong separation of duties policy. Key management is the sole responsibility of the Encryption Administrator and separated from other administrative roles at the tenant and workspace levels. With BYOK, no single administrator has complete control over data protection activities.
Customer controlled encryption and key managementYou control your keys and the associated key lifecycle directly in Administration. No Anaplan employees, or non-Encryption Administrators within your organization, have access to your keys and encrypted model data.
Transparent encryptionWhile protecting all of the data in an encrypted model, the data encryption isn't visible by end users. This reduces complexity and cost.
Geo-legal sensitivityBYOK enables you to store your keys and encrypted data in line with your specific geo-legal requirements. This is subject to approval.
Compliance reportingCompliance reporting provides detail on encryption, key management, and access policy actions, by user and time. The log records every user and process that attempts to access the encryption protection data, whether successful or not.