Encryption & Data Isolation
Encryption is the primary safeguard for sensitive legal data, converting information into an unreadable form that remains protected even if an unauthorized party gains access. PHX Terminal applies encryption comprehensively and pairs it with strict data isolation so that each client’s information is contained within its own boundary.
Encryption in Transit and at Rest
Section titled “Encryption in Transit and at Rest”Encryption must be applied at every stage of the data lifecycle:
- In transit — all communication is secured (e.g., via HTTPS/TLS) so data moving between the desktop, cloud, and integrated applications cannot be intercepted.
- At rest — data stored on servers, laptops, and mobile devices is encrypted so that physical or storage-level access does not expose readable content.
- Backups — backup data is encrypted to the same standard as the original data, eliminating a common weak point.
Algorithms
Section titled “Algorithms”Strong, industry-standard cryptography is used, including the Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA). AES-256 — the standard relied upon by financial and government institutions — is applied for end-to-end protection of sensitive content.
Key Management and Tokenization
Section titled “Key Management and Tokenization”Strong encryption is only as good as the management of its keys. PHX Terminal’s data protection relies on:
- Key management protocols for secure generation, rotation, storage, and revocation of keys
- Secure tokenization to replace sensitive values with non-sensitive tokens where appropriate
- Secure API gateways that terminate and broker encrypted traffic under policy control
Data Isolation
Section titled “Data Isolation”Encryption is reinforced by isolation so that tenants and clients never share a readable data plane.
- Per-client isolation — each client’s data is housed in its own isolated environment (e.g., a virtual private cloud), preventing cross-contamination between firms or matters.
- Compartmentalization — sensitive datasets are separated by purpose and access need, supporting attorney-client privilege.
- Sandbox isolation — third-party code runs in strictly contained environments, detailed in Sandbox Security.
flowchart TB
DATA["Legal data"]
subgraph ENC["Encryption — every lifecycle stage"]
E1["In transit<br/>HTTPS / TLS"]
E2["At rest<br/>AES-256 · RSA"]
E3["Backups<br/>same standard"]
end
subgraph KEY["Key management"]
K1["Generation"] --> K2["Rotation"] --> K3["Storage"] --> K4["Revocation"]
end
subgraph ISO["Data isolation"]
I1["Per-client VPC isolation"]
I2["Compartmentalization by purpose"]
I3["Sandbox isolation for third-party code"]
end
DATA --> ENC
ENC --> KEY
KEY --> ISO
ISO --> RESULT["Intercepted data is useless<br/>+ blast radius limited to one tenant"]
Encryption at every lifecycle stage, disciplined key management, and per-tenant isolation combine so that intercepted data is useless and any single compromise stays contained.
Summary
Section titled “Summary”| Control | Purpose |
|---|---|
| TLS/HTTPS in transit | Protect data moving between systems |
| AES-256 / RSA at rest | Protect stored data and backups |
| Key management | Secure lifecycle of cryptographic keys |
| Tokenization | Reduce exposure of raw sensitive values |
| Secure API gateways | Policy-controlled encrypted entry points |
| Per-client / VPC isolation | Prevent cross-tenant data access |