Tell your customers “we cannot read your data” and mean it.
InvisiCloud puts your customers' data out of your own reach, without rearchitecting the product. Your customer, or a partner, holds the key. You point your existing S3 client at a new endpoint.
Security questionnaire
“Can your staff access our uploaded files? Where are the encryption keys?”
We are cryptographically unable to read your data. The key stays with you, and our infrastructure only handles encrypted payloads.
The stuck deal
A real deal is stalled in security review
When you sell into health, legal, HR, fintech, govtech, or supply-chain buyers, the security review decides the deal. The questions that stall it look like this:
“Can your staff access our data?”
“Where are the encryption keys held?”
“How do you handle Schrems II and international transfers?”
Rearchitecting for client-side encryption isn't an option, and today's alternatives don't answer the question:
Client-side encryption
Breaks sharing, presigned links, and other features, and forces you to rearchitect the application.
BYOK / SSE-KMS
Improves key control, but the cloud provider still encrypts the data and can reach the keys, so the provider and vendor stay inside the trust boundary.
Confidential computing
A hardware and attestation project, not a storage answer, and not something you can ship this quarter.
Why InvisiCloud
Built to win deals, not just prevent breaches
Companies buy InvisiCloud to win competitive RFPs and pass security reviews, not mainly for breach protection.
Win the deal
“We are cryptographically unable to read your data” becomes a truthful answer in RFPs and security questionnaires, and it unblocks stalled enterprise and public-sector deals.
No rearchitecting
Works with the standard S3 SDKs (AWS SDK, boto3) and your existing application code. Integration is a DNS change plus one stateless container. No client-side key management.
Sovereignty, built in
Supports GDPR data-protection-by-design and supplementary measures for international transfers. Keep your hyperscaler, but take it, and yourself, out of the plaintext trust boundary.
How it works
Zero-trust storage, split across two independent parties
No single infrastructure operator can decrypt customer objects on its own, whether that's the Gateway, the Key Server, or the storage backend.
Built on the patented TLSHare protocol and Secure Multi-Party Computation. The Key Server holds the keys but never sees payloads. The Gateway processes encrypted payloads but never holds keys. Neither one alone can reconstruct plaintext, so your data stays protected unless both are compromised at once.
Main use case
Confidential customer-document storage for B2B SaaS
Store the files your customers upload, with you and every infrastructure provider locked out of the plaintext. The product keeps behaving exactly as it does today.
User-uploaded documents
Contracts, patient records, HR files, case files. Stored through your existing S3 code path, with you and every infrastructure provider locked out of the plaintext.
Sharing keeps working
Identity-based sharing and presigned links keep working. No second-channel key distribution, no client-side key management.
Revocation keeps working
Revoke access the way you do today. No long-term keys live on client devices.
Multi-backend redundancy
Connect one or two storage backends of your choice. Provider independence and redundancy come built in.
Where this is going: the same two-party model extends toward confidential analytics (Apache Iceberg, PyIceberg) and confidential compute. These are on the roadmap, not available today.
The CISO questions
What a security team will ask
What we're honest about
InvisiCloud is early access, and it's technical infrastructure, not a replacement for legal assessment, IAM, or organizational controls. Straight answers on the edges:
- Metadata stays visible: object names, sizes, access timing, IPs.
- Authorized users or compromised credentials can still exfiltrate data they are allowed to access.
- The Key Server is security-critical for availability and access control, even though its compromise alone does not expose plaintext.
- No external cryptographic audit or academic review yet, and performance testing is ongoing.
Scope your first deployment against a stuck deal
Get early access and we'll scope your first deployment: one bucket, one document workload, against a real deal in security review. We're onboarding early-access deployments now.