Skip to main content
Turen uses multiple layers of encryption to protect your organization’s data.

Encryption in Transit

All communication between Turen components uses TLS 1.2 or higher:
ConnectionProtocol
Agent to Turen CloudHTTPS (TLS 1.2+)
Dashboard to Turen APIHTTPS (TLS 1.2+)
Claude Code to local proxyHTTP (localhost only, never leaves the machine)
The local proxy listens on 127.0.0.1 only. LLM traffic between the proxy and Anthropic uses HTTPS.

Encryption at Rest

Session Data

Session recordings are the most sensitive data Turen handles. They are protected with envelope encryption:
  1. Organization key (DEK) — Each organization has a unique AES-256-GCM Data Encryption Key
  2. AWS KMS (KEK) — The organization key is itself encrypted by AWS Key Management Service
  3. Per-session encryption — Each session is encrypted individually with the organization’s DEK
Session JSONL → AES-256-GCM (org DEK) → Encrypted blob → S3

                  Org DEK → AWS KMS (KEK) → Encrypted DEK → Database
To read a session, Turen must:
  1. Retrieve the encrypted DEK from the database
  2. Decrypt it via AWS KMS
  3. Use the DEK to decrypt the session data
This means even if S3 storage were compromised, session data would be unreadable without access to both the database and AWS KMS.

Agent Credentials

Agent secrets (as_live_) are stored on the developer’s machine in a state file encrypted with a machine-bound key. The encryption key is derived from hardware identifiers, so the state file cannot be decrypted on a different machine.

Database

The PostgreSQL database uses encryption at rest provided by the hosting provider (Supabase). All sensitive fields (secrets, keys) are stored as hashed or encrypted values.

Key Management

KeyScopeRotation
Organization DEKPer-organizationManaged by Turen
AWS KMS KEKPlatform-wideAutomatic (AWS managed)
Agent secretsPer-machineOn-demand via API
API keysPer-keyManual (create new, revoke old)

Data Residency

All Turen infrastructure runs in AWS us-east-1. Session data, telemetry, and metadata are stored in this region. Contact us if you have specific data residency requirements.