Security

Cyphera takes cryptographic correctness and data protection seriously.

Cryptographic Approach

Cyphera implements format-preserving encryption using well-established, peer-reviewed algorithms. Our core engines include NIST-standardized FF1 and FF3-1 modes of operation for format-preserving encryption. We do not invent custom cryptographic primitives — we build on proven standards.

All FPE implementations are tested against official NIST test vectors to ensure correctness. This means our encrypt/decrypt outputs match the expected results defined by the National Institute of Standards and Technology.

Auditable Components

Selected Cyphera components are released as open source under the Apache 2.0 license, including the FPE SDKs and reference implementations. You can inspect, audit, and verify those implementations yourself — security through transparency is stronger than security through obscurity.

Other Cyphera work, including memory-safe systems research, packaged deployment artifacts, and hosted services, may be released under different licenses or as packaged binaries depending on maturity and deployment goals. Cyphera uses a mixed release model.

Public source code is available at github.com/cyphera-labs.

No Data Collection in the SDK

The Cyphera SDK contains zero telemetry, zero analytics, and zero network calls. Encryption and decryption happen entirely on your infrastructure. Your encryption keys never leave your environment. There is no phone-home behavior of any kind.

Key Management

Cyphera supports flexible key management to meet your security requirements:

• AWS KMS — use AWS Key Management Service for key wrapping and storage.
• Google Cloud KMS — integrate with GCP's key management infrastructure.
• Azure Key Vault — use Azure's HSM-backed key vault for enterprise deployments.
• HashiCorp Vault — integrate with Vault for centralized secrets management.
• Local keys — for development and testing, keys can be specified directly in configuration files.

In production, we strongly recommend using an HSM-backed key store. Cyphera's configuration-based architecture makes it straightforward to swap key sources without changing application code.

Responsible Disclosure

If you discover a security vulnerability in Cyphera, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.

Email security reports to: security@horizondigital.dev

We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation plan within 7 days for critical issues. We appreciate the efforts of security researchers and will credit reporters (with permission) in our release notes.

Licensing

Selected Cyphera components — including the FPE SDKs, KMIP server, and PKI server reference implementations — are released under the Apache License 2.0, which provides an express grant of patent rights from contributors to users. Other Cyphera work may be released under different terms; see the cyphera-labs organization for per-repo license details.

Contact

General questions: hello@horizondigital.dev

Security issues: security@horizondigital.dev

Horizon Digital Engineering LLC