Cloud Enterprise BYOK is live on the Novantra Managed Cloud service. Customers on the Enterprise tier can now bind their organisation's encryption key material to a key provider they control, instead of relying on Novantra-operated platform keys.

What you can do today

  • View the current key posture for your organisation.
  • Configure a customer key provider against either AWS KMS or Azure Key Vault.
  • Launch an explicit dry-run validation against the provider before any live change.
  • Activate the customer-controlled key in a single, audited operation.
  • Review per-operation evidence of every key use through the standard audit surface.

The entitlement key is cloud.byok. It is included in Enterprise contracts and can be enabled for any organisation under that entitlement.

What changes for you in practice

After activation, every encrypted column, every encrypted artifact, and every blind index in your organisation's database is sealed under a key version that your provider wrapped. Novantra cannot read your data without your provider responding. If your provider becomes unavailable for any reason, the organisation fails closed; we do not fall back to a platform-owned key for active customer-wrapped data.

You retain the ability to rotate, retire, or rewrap key versions on your own schedule. The operation ledger captures every action with full evidence for your auditors.

Why this matters

Customer-controlled keys are not a compliance checkbox. They are an architectural commitment. They mean that, no matter what happens to Novantra, no matter what jurisdiction asserts a claim, no matter what a malicious insider attempts, your data remains under your control because the key material remains under your control.

For regulated organisations in healthcare, finance, and the public sector, this is increasingly not optional. It is the difference between "we trust the vendor" and "we do not need to".

Where to find it

If you are on the Enterprise tier, the Key Management section is now available under your organisation admin surface. Configuration, dry-run, and activation each have their own audited workflow.

If you are interested in moving to Enterprise to access Cloud BYOK, contact sales or use the Free tier to evaluate the platform first.