Overview

Field-Level At Rest Encryption protects Personally Identifiable Information (PII) stored in CleverTap by ensuring that the data can only be decrypted using valid keys. PII includes sensitive information such as names, email addresses, phone numbers, custom user and event properties. When field-level data is encrypted at rest, this information stays protected across all stages of storage, including databases, backups, and any persistent storage systems.

CleverTap’s encryption framework utilizes strong, industry-standard algorithms such as AES-256 to secure data without limiting teams from using the platform. Users who have the required Role-Based Access Control (RBAC) permissions can continue to work seamlessly with encrypted fields across Segments, Analytics, and Campaigns, while the underlying PII remains protected from unauthorized access.

📘

Add-on Feature

This feature is available as a paid add-on. To enable PII Encryption, contact your sales representative.

Field-Level At Rest Encryption helps you perform the following:

• Prevent unauthorized access across databases and backups.
• Ensure secure long-term data retention.
• Comply with global and local data protection regulations.

📘

Encryption is Irreversible

Encryption is irreversible only for event properties. You cannot revert an event property to an unencrypted state.

Encryption Framework

CleverTap utilizes multiple layers of encryption to safeguard stored data without compromising functionality. It applies AES-256 encryption to all stored data and manages encryption keys through secure key management infrastructure. This framework ensures confidentiality, integrity, and compliance while preserving analytics and campaign operations.

Default vs. Bring Your Own Key Encryption

By default, Clevertap encrypts field-level data at rest using the keys in its key management system.

If you require additional security, Bring Your Own Key (BYOK) encryption enables you to use your own keys to encrypt field-level data at rest in CleverTap.

For more information, refer to Bring Your Own Key (BYOK) Encryption.

Eligible Data

You can mark the following properties for encryption.

• System user Properties
  • Phone
  • Email
• Custom user properties
• Custom event properties

Custom events are also supported for encryption. Once encryption is enabled for a custom property, new incoming data is encrypted automatically, while historical data remains unencrypted.

Encrypt Field-Level Data At Rest

CleverTap automatically encrypts all stored data using secure, industry-standard methods:

• AES-256 encryption for all databases, backups, and persistent storage
• Secure key management through a centralized key infrastructure
• Automated key rotation and audit logging

These controls ensure all PII stored in CleverTap remains protected and compliant with global regulations.

Encrypt User or Event Properties

You can encrypt user or event properties either individually or in bulk.

Encrypt Single Property

To encrypt an individual event property, follow the steps:

1. Go to Settings > Schema > Events > Custom Events.
2. Click Properties for the required event.
3. Click the ellipsis menu and select Encrypt.
4. In the confirmation dialog, click Encrypt.

The following image shows the encrypted PII properties:

Using Encrypted Data Across Platforms

CleverTap enforces Role-Based Access Control (RBAC) for all encrypted properties. Access depends on the user's permissions. Only authorized users with RBAC permissions can view and use decrypted values in Segments, Engagements, and Analysis, as these values remain consistent across the platform.

Users who do not have decryption permissions see only the encrypted value instead of the underlying PII. When they attempt to query the property, the interface displays the encrypted property as shown in the image, and the user cannot view or filter by the actual decrypted value.

Segments

Users without decryption permissions cannot view or query the encrypted property in the Segment Builder.

Engagements

Users without decryption permissions cannot access or use the encrypted properties in Campaigns and Journeys.

Analytics

Users without decryption permissions cannot view or query the encrypted properties in Analytics or reports.

📘

Viewing Encrypted Values

Only Admins can encrypt field-level data at rest, and only authorized users can view the encrypted values.

The visibility of encrypted values on the Segment and Analytics pages depends on your role. For roles without encryption access, these values remain hidden. Roles with encryption permissions can view and use the encrypted values for segmentation and analytics.

Frequently Asked Questions

What encryption algorithm does CleverTap use?

CleverTap uses AES-256 encryption keys for field-level data at rest.

Can I search or segment encrypted fields?

Yes. Authorized users can search and segment encrypted fields without a performance impact.

Can encryption be disabled later?

No. Encryption cannot be disabled or paused. Once enabled for an event property, all future incoming data is also encrypted. However, you can decrypt a user property.

How does masking interact with encryption?

If a property is configured for both masking and encryption, encryption takes precedence. The system encrypts the value first, and masking rules apply only to authorized users who have decryption access.