[csomar]

> When I tell customers that we cannot read and really delete their data - they straight up accuse me of lying!

I'd accuse you too. If you can't read their data, then the data doesn't exist? Also, if you can't read read their data, how are the customers seeing it on their dashboard?

[st-keller]

I try to explain it shortly: The encrypted data is in a different datacenter than the keys needed to decrypt the data. The services we implemented to bring both together run in an secured environment that has no services implemented to access the servers and where physical access is restricted. Errors and monitoring data gets out, PII does not. Everything is documented and was inspected and certified by a 3rd party. If a customer requests to delete his data we instantly delete the key, a litte later we delete the (already useless) data and all backups will lose this information about a month later too.

And of course we did that not because we are nice people (though we belive we are). We did it, because we had the hypothesis that a reputation to handle the user-data with proofable utmost respect to security and privacy would be more valuable than having access to this data.

People not believing us or accusing us of lying obviously defy that hypothesis.

[cyberpunk]

Row level encryption, yes it’s possible to break the glass but it’s code changes and that sort of thing is noticed by the org and would be reported on.

In the automotive space we are leaning heavily on confidential computing primitives to make it actually impossible, for example keys generated entirely inside enclaves and only attested software can run on those etc etc.

[ivan_gammel]

Client-side encryption?