Security
Encryption
How Queringo encrypts sensitive data with per-workspace keys.
Updated May 27, 2026
Queringo encrypts sensitive data using envelope encryption with a separate key per workspace, so workspaces are cryptographically isolated from one another.

How it works
- Per-workspace data key: each workspace has its own data encryption key. Sensitive fields, such as stored credentials and glossary content, are encrypted with it.
- Envelope encryption: each workspace's data key is itself wrapped by a master key held in a key-management service, so the data key is never stored in the clear.
- In transit: connections to your data sources use TLS, and you can require encrypted connections or private networking.
Enabling field encryption
A workspace admin can enable application-layer field encryption in Authentication settings. Once enabled, it cannot be turned off, to prevent accidental downgrade of protection.
Per-workspace keys mean a single key never spans workspaces, which limits the blast radius if a credential is ever compromised.
What's next
See how location and lifecycle are handled in Data residency.