Data encryption

<< Click to Display Table of Contents >>

Navigation:  Automation Service Overview > Security and compliance >

Data encryption


To provide a higher data security level, as well as other security controls mentioned in Automation Service Security, Automation Service features data encryption for data both at rest and in transit.


For data at rest, Transparent Data Encryption (TDE) technology is in place, while for data in transit, communication channels rely on the Transport Layer Security (TLS) protocol entailing the use of certificates to encrypt content.


Encryption at rest

Encryption for data at rest is performed at the page level by using TDE.

The pages are kept in an encrypted database using this technology and are encrypted before they are written to disk and decrypted when read into memory.

This measure prevents reading data from the physical media by potential attackers (i.e, stealing files), while supporting the use of highly secure algorithms such as AES and the use of a 256-bit symmetric key.

Data at rest in Azure Blob storage and Table storage is encrypted using Azure Storage Service Encryption (SEE). SSE can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it. The process is completely transparent to users. Storage Service Encryption uses 256-bit.


Key management

Bizagi does not provide, manage, or access the TDE root key and the SEE encryption key.  

TDE root key is protected by a Microsoft internal secret store.

Data in the Azure Storage is encrypted with Microsoft-managed keys.


Bizagi Automation Service relies on the Microsoft-managed key option. The following table shows the management key parameters:



Management key parameters

Key management parameter

Microsoft-managed keys

Encryption/decryption operations


Azure Storage services supported


Key storage

Microsoft key store

Key rotation responsibility


Key control




Currently, Bizagi Automation Services does not support customer-managed or customer-provided keys options.



Encryption in transit

Encryption of data in transit is assured by using TLS certificates that protect the channel.

This applies both to communications between the service components and the database, and to the communication of end users when accessing Automation Service (in which case, HTTPS is used).

This measure prevents tampering of packages, spoofing, and man-in-the-middle attacks at the transport layer.


Additional notes

As well as the above security measures, note that unauthorized access to the database is not allowed, and identity management for access to Bizagi Work Portal is under the administration of the customer.

For identity management, Automation Service supports integrated authentication mechanisms with which Bizagi does not store the password used by users to authenticate in the Work Portal. When Bizagi local authentication is used (with no integrated identity provider system), Bizagi encrypts passwords by employing an AES algorithm that uses a 256-bit key.