Gatana Documentation

Confidentiality & Privacy

How Gatana Cloud protects your sensitive data with SOC 2-grade encryption

On-Premise & Self-Hosting

For complete data-ownership, you can self-host Gatana, see On-Premise & Self-Hosting for more information.

Overview

Gatana Cloud protects all sensitive customer data using Google Cloud Key Management Service (KMS) and envelope encryption1. Credentials, API keys, and other sensitive information remain protected even in the event of a database breach.

Each organization has its own encryption key, providing complete cryptographic separation between tenants. Keys are rotated according to security best practices.

For additional isolation, secret stores allow you to store credentials in your own vault and have Gatana retrieve them at runtime.

Envelope Encryption

Gatana uses envelope encryption to protect sensitive data. Each organization is assigned a unique AES-256-GCM data encryption key (DEK) that encrypts all sensitive information within that organization. The DEK itself is encrypted by Google Cloud KMS and stored in this protected form. At runtime, Gatana decrypts the DEK using KMS and retains it in memory only for the duration required to perform cryptographic operations.

Questions

If you have questions about our security practices, please contact support@gatana.ai.

Footnotes

  1. Gatana is not yet SOC 2 certified, but we are actively working towards certification.

MCP Authorization

How to authorize an MCP client with Gatana Gateway

On-Premise & Self-Hosting

Instead of using Gatana Cloud, you can run the entire Gatana stack yourself

On this page

OverviewEnvelope EncryptionQuestionsFootnotes