Data Encryption
Guara Cloud encrypts your data both in transit and at rest, ensuring that your information is protected at every layer of the platform.
Encryption in transit
All connections to Guara Cloud use HTTPS with TLS encryption. This applies to:
- Dashboard access — every page and API call from your browser is encrypted.
- API requests — all interactions with the Guara Cloud API use HTTPS.
- Service traffic — all traffic to your deployed services is served over HTTPS.
- Internal communication — data moving within the platform is encrypted.
There is no option to use unencrypted HTTP. All connections are secured by default.
TLS certificates
Guara Cloud handles TLS certificates automatically:
- Default subdomains — every service deployed to
*.guaracloud.comincludes a TLS certificate by default. No configuration needed. - Custom domains — when you add a custom domain, a TLS certificate is automatically provisioned and renewed. You don’t need to manage certificates manually.
Certificate renewal happens before expiration, so your services are never exposed with an expired certificate.
Secrets and environment variables
When you set an environment variable or secret in Guara Cloud, it is encrypted at rest before being stored.
Key protections include:
- Per-project encryption scope — each project has its own encryption scope. Secrets from one project can never be decrypted by another project, even on the same account.
- Masked values in the dashboard — secret values are masked in the UI. You can update a secret, but you cannot view its full value after it has been saved.
- No plaintext storage — secrets are never stored in plaintext anywhere on the platform.
Authentication tokens
Authentication tokens issued by Guara Cloud are:
- Signed — tokens are cryptographically signed to prevent tampering.
- Time-limited — tokens have expiration times and cannot be used indefinitely.
- Scoped — tokens are associated with your account and validated on every request.
Summary
| Layer | Protection |
|---|---|
| Network traffic | HTTPS/TLS on all connections |
| Secrets | Encrypted at rest, per-project scope |
| TLS certificates | Auto-provisioned and auto-renewed |
| Dashboard UI | Secret values masked after saving |
| Auth tokens | Signed, time-limited, scoped to your account |
| Custom domains | Automatic TLS certificate provisioning |