This ensures secure, forward-secret, authenticated communication. Any data exchanged between clients, servers, and internal services is protected against eavesdropping and tampering.

đź”’ Encryption at Rest

Zykrr uses Microsoft Azure’s managed encryption capabilities, which apply AES 256-bit encryption by default for all data stored on disk.

  • Encryption at rest is always enabled and cannot be disabled
  • Both operating system (OS) and data disks attached to virtual machines are encrypted
  • Customer data stored in databases, files, and backups is encrypted persistently

Azure documentation confirms that encryption at rest with AES-256 is enforced across all services. No manual encryption management is needed by the Zykrr team.

đź”’ Database & Connection Security

  • No public internet access is allowed to the database.
  • All database access is restricted to Zykrr’s cloud private virtual network (VNet).
  • Applications access the database only via Private Endpoint.

What is a Private Endpoint?

A Private Endpoint is a secure network interface that connects services privately using a private IP address from the VNet. This setup:

  • Prevents exposure to the public internet
  • Keeps all traffic inside the cloud provider’s backbone network
  • Eliminates the risk of external attacks on open database ports

Zykrr’s entire data flow remains internal to the cloud, isolated from any unauthorized or external reach.

đź”’ Backup Encryption

All backups—including snapshot, incremental, and point-in-time recovery backups—are encrypted using AES 256-bit encryption.

This applies to:

  • SQL database backups
  • File and blob storage backups
  • VM and disk snapshots

No backup data is ever stored in plaintext.

đź”’ Threat Protection & Anomaly Detection

Zykrr has Microsoft Defender for SQL enabled on all databases. This service provides real-time threat detection and alerts for suspicious or anomalous behavior, including:

  • Anomalous login or query patterns
    • e.g., repeated failed sign-in attempts, unusual access times
  • Suspicious user behavior
    • e.g., access from a breached device or IP linked to known malicious infrastructure
  • Brute-force attacks
    • e.g., credential stuffing or password-guessing attempts on valid user accounts

When such behavior is detected, automated alerts are triggered for immediate security review and investigation.

Summary of Encryption Practices

Area Standard Used
Data in Transit TLS 1.2 with AES256 cipher
Data at Rest AES 256-bit
Backups AES 256-bit
Network Access to DB Private Endpoint via VNet only
Threat Detection Microsoft Defender for SQL

For detailed encryption configurations, cloud infrastructure setup, or audit documentation, please contact support@zykrr.com.

Updated on 01 Jan 0001