SaaS Providers

Baffle provides BYOK and record level encryption for multi-tenant SaaS

The SaaS Business vs. Security Trade-off

The shift to cloud-based software delivery has revolutionized how enterprises use software. Software-as-a-service (SaaS) has become the predominant mode of adopting software for companies resulting in huge amounts of data being entrusted to respective SaaS providers.

You may be in the business of delivering a SaaS service, and key customers are demanding enhanced security measures or auditors are breathing down your neck or your legal or risk team or board has concerns over pending privacy regulations.  All the while, your customers are asking for this feature and that feature and competition is heating up.

This leaves you with the business dilemma of building out features and functionality to delight your customers and compete in the market or building out security platform capabilities.  Alternatively, you could attempt to do both if you have a bottomless budget and can get developers, or you could opt to dedicate instances for big clients, which is operationally and cost inefficient.

Or, you could implement an off-the-shelf BYOK service that supports multiple keys in multi-tenant environments, while requiring no architectural or application code changes.  The transition can be isolated and you can remain focused on running your core business and service.

Simplified BYOK for SaaS

What if there was an easier way to deliver a solution to the above scenario?  What if you could satisfy enterprise customers with stringent security requirements without having to modify your applications, hundreds of microservices or dedicate instances to that customer?

Baffle provides a BYOK platform for SaaS providers that supports customer-owned keys and secures data at the record level in a multi-tenant environment, without requiring application and architectural changes or dedicated instances.  The solution is in production globally with SaaS providers in environments in excess of several billion records, with virtually no discernible performance overhead.

This satisfies the compliance requirements of your largest customers, gives them ownership of their key, gives them a right of data revocation, and frees you up to do what you do best — build a world-class application and service.

Baffle’s key virtualization layer integrates with HSMs, cloud key managers, and secrets managers to easily source customer-owned keys.  This key integration can be integrated into cloud native services with no redesigns or application code changes.

With Baffle Data Protection Services, you can avoid being forced into trade-offs around product development and features versus building out core platform security capabilities.  You can simplify your security implementation at a lower operational, and perhaps more importantly, opportunity cost.

And finally, in the words of one of our customers, "after we looked at the performance numbers, it was game over."  In other words, our solution has been highly optimized and has been measured with no discernible overhead in a global deployment with hundreds of microservices.

SaaS BYOK icon
A Technical Overview of Baffle Hold Your Own Key (HYOK) and Record Level Encryption (RLE)

This paper provides a technical overview of Baffle’s HYOK implementation and how it can be applied to provide RLE in multitenant or shared data stores.

Interested in a headless deployment — pull our Docker image to get up and running in minutes.  Contact [email protected] for more info.

Useful Links

workiva logo

“Customers are demanding support for Bring Your Own Key (BYOK) to enable ownership of their encryption key material and have control over their data with revocation rights. Workiva is building AWS KMS key management into the core of our platform, where customers can bring in encryption key material and manage it, and then use those keys in conjunction with Baffle. The joint solution requires no large-scale architectural overhauls or application changes, or dedicated databases per tenant. As a result, development time is instead being spent adding even higher value add enhancements instead of modifying the architecture and application, and Baffle allows us to execute on that vision.”

Security Architect, Workiva

Our Solution

Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.

Icon Cubes


No application code modification required

Icon Stopwatch


Deploy in hours
not weeks

Icon Bolt


No impact to user

Icon Command


Bring your own key

Icon Padlock


AES cryptographic

Schedule a live demo with one of our solutions experts to get answers to your questions