[DandyDev]

This looks really cool and clever. I do have a question about security though. The FAQ states:

> Today, we encrypt all sensitive data on your computer before it is sent to our servers, your data is encrypted in transit and at rest. Our employees do not have access to the private key to decrypt sensitive data.

I wonder how this works. I assume Plus works by storing the cookies present in the user's browser so that it can inject those cookies in a headless browser to take a Snapshot. In order to do that, it would need to decrypt the cookie (if it was encrypted in the first place, which the FAQ seems to suggest). For that, the headless process needs the encryption key. That would mean that employees can also access that encryption key.

What am I missing here?

[nmjohn]

I assume they mean by default, employees do not have access to the KMS key necessary to decrypt the sensitive data. (They mention using an individual KMS key per customer)

I suspect there must be a handful of SREs who, who could access it if they really wanted to - though that access would still be logged in cloudtrail.

[remixz]

You've got it right! The KMS keys used to encrypt sensitive data are generated per customer, and the majority of our engineering team cannot access any sensitive production data at all. In theory, it would only be the select team members with privileged access that could access it, but as you mentioned, it would be logged in CloudTrail. We also have GuardDuty enabled, and it would likely alert on anomalous activity.

Personally, I think we could do a better job explaining our security model in our FAQ. I'll bring it up with the team.

[iLoveOncall]

> Our employees do not have access to the private key to decrypt sensitive data.

So this is literally a lie?