Encryption Policy

Objective

The objective of this policy is to define the encryption standards and practices used by Coraa to protect the confidentiality and integrity of data. Encryption is a critical component of our security posture and is applied to data at rest, data in transit, and sensitive credentials such as passwords.

Scope

This policy applies to all data processed, stored, or transmitted by Coraa systems, including Customer Data, operational data, credentials, and internal communications. It covers all production environments, backup systems, and development or staging environments that handle real data.

Policy statement

• All sensitive data must be encrypted both at rest and in transit using industry-standard algorithms and protocols.
• Only approved encryption algorithms, key lengths, and protocols are used. Deprecated or weak algorithms are prohibited.
• Cryptographic keys are managed securely throughout their lifecycle, including generation, distribution, storage, rotation, and destruction.
• Encryption configurations are reviewed regularly and updated as standards evolve.

Encryption at rest

All data stored on Coraa systems is encrypted at rest to protect against unauthorized access to the underlying storage media.

• Algorithm - AES-256 (Advanced Encryption Standard with 256-bit keys) or equivalent.
• Scope - all databases, file storage, object storage, and backup media.
• Implementation - encryption is applied at the storage layer using managed encryption services provided by our cloud infrastructure provider. Where additional protection is required, application-level encryption is applied.
• Key management - encryption keys are managed through a dedicated key management service (KMS) with hardware security module (HSM) backing where available.

Encryption in transit

All data transmitted between clients and Coraa services, and between Coraa internal services, is encrypted in transit.

• Protocol - TLS 1.2 or higher for all external-facing connections. TLS 1.0 and 1.1 are disabled.
• Cipher suites - only strong cipher suites are allowed. We prioritize forward-secrecy cipher suites (ECDHE) and disable weak ciphers (RC4, DES, 3DES, MD5-based).
• Certificates - TLS certificates are obtained from trusted certificate authorities and renewed before expiration. Certificate pinning or monitoring is used where appropriate.
• Internal communications - service-to-service communication within our infrastructure is encrypted using mutual TLS (mTLS) or equivalent mechanisms.

Password encryption

User passwords are never stored in plain text. We apply industry-standard hashing and salting techniques to protect stored credentials.

• Algorithm - passwords are hashed using bcrypt, scrypt, or Argon2 with a unique, randomly generated salt per password.
• Work factor - the computational cost parameter is set to meet current best practices and is increased over time as hardware capabilities improve.
• No reversibility - password hashes are one-way. Passwords cannot be recovered from the hash; they can only be reset.

Cryptographic key management

Proper key management is essential to the effectiveness of encryption. Coraa follows these practices for managing cryptographic keys:

• Generation - keys are generated using cryptographically secure random number generators.
• Storage - keys are stored in a dedicated key management service (KMS) and are never stored alongside the data they protect. Access to keys is restricted to authorized services and personnel.
• Rotation - encryption keys are rotated on a regular schedule (at least annually) and immediately upon suspected compromise. Key rotation is performed without service disruption.
• Access control - access to cryptographic keys is governed by the principle of least privilege and requires multi-factor authentication for administrative operations.
• Destruction - when keys are retired or replaced, they are securely destroyed to prevent future unauthorized decryption of data encrypted with those keys.
• Audit - all key management operations (creation, rotation, access, destruction) are logged and auditable.

Contact

• Email - privacy@coraa.ai
• Support - support@coraa.ai
• Address - Cause Connect Pte. Ltd., 68 Circular Road, #02-01, 049422, Singapore

See our Privacy Policy and Data Protection Policy for related information.