Organization encryption

Overview

Organization encryption protects your coding standards and API specification content at rest. When enabled, the sensitive content in your knowledge base is encrypted before it is stored — only your organization can access it.

You can choose between two modes depending on your security needs.

Platform-managed vs BYOK

Platform-managed — CodeContext generates and manages the encryption key for you. This is the simplest option: enable it and everything is handled automatically.

BYOK (bring your own key) — You supply your own encryption key. This gives your team full control over the key used to protect your data. If you ever revoke or delete the key, the data cannot be decrypted — even by CodeContext.

Getting started

Encryption is available on the Enterprise plan. Organization owners and admins can enable it from Settings > Encryption.

When you first enable encryption, existing content goes through a short migration. You will see progress in the settings page and receive an email when it is complete.

Setting up BYOK

1. Generate a 256-bit key (32 bytes, hex-encoded). On macOS or Linux: openssl rand -hex 32
2. Go to Settings > Encryption and choose BYOK.
3. Paste your key when prompted.
4. Store a backup of your key in a secure location — you will need it if you ever need to recover access.

Never commit keys to source control or share them over chat or email.

Key rotation

You can rotate your encryption key at any time from Settings > Encryption.

For platform-managed encryption, rotation is one click — we generate a new key and re-encrypt your data automatically.

For BYOK, rotation asks you to supply a new key. This is the same process you followed when you first set up encryption: generate a key, paste it, and confirm. Your data is re-encrypted with the new key automatically.

Your organization stays fully accessible during re-encryption. You will receive an email when the process is complete.

Key revocation

Revoking a key is permanent and destructive. Once revocation completes, encrypted content can never be decrypted.

To prevent accidental data loss, revocation has a 72-hour cooling-off period. You can cancel it at any time during that window from Settings > Encryption. After the window closes, revocation is irreversible.

You will receive email notifications when revocation is scheduled and when it completes.

Disabling encryption

Disabling encryption decrypts all of your content and returns your organization to the standard, unencrypted state. Like revocation, disabling has a 48-hour cooling-off period so admins can cancel if needed.

After decryption completes, your organization works exactly as it did before encryption was enabled. You can re-enable encryption at any time.

FAQ

What exactly is encrypted?

The content of your coding standards and API specifications — descriptions, code examples, steps, endpoint details, and spec bodies. This is the sensitive intellectual property in your knowledge base.

What is not encrypted?

Organizational metadata like titles, tags, categories, and dates is not encrypted. This allows features like navigation and filtering to work normally.

Can CodeContext access my encrypted data?

With platform-managed keys, yes — CodeContext manages the key and uses it to serve your data when you access the product.

With BYOK, CodeContext can only decrypt while your key is active. If you revoke the key, we lose the ability to decrypt your content.

What if I lose my BYOK key?

If you have not revoked the key in CodeContext, your data is still accessible — the key is stored securely in our system. Contact support if you need help.

If the key has already been revoked, encrypted data protected by that key cannot be recovered.

Does encryption affect performance?

The impact is minimal. You may notice a brief delay on the first search after opening the app, but after that performance is comparable to normal usage.