Zekt Shield

Payloads are encrypted client-side before being sent to Zekt. The broker routes an opaque blob. Only the consumer — with the correct key — can decrypt.

• Encryption happens in the provider's workflow, not in Zekt
• Zekt stores only ciphertext, never plaintext
• Key material never transits through Zekt infrastructure

No key escrow. You generate, store, and rotate encryption keys. Zekt never holds them.

• Store keys in your own HSM, Azure Key Vault, AWS KMS, or GitHub Secrets
• Rotate keys on your schedule — no Zekt involvement required
• Revoke access by retiring keys: Zekt-held ciphertext becomes permanently unreadable

ZKE is applied at the provider before dispatch and decrypted only at the consumer on receipt. TLS is an additional layer on top.

• Transport TLS (HTTPS) for in-flight protection
• ZKE for at-rest protection in Zekt storage
• Two independent security layers — neither alone is sufficient

ZKE satisfies requirements where the event broker must not have access to message content — a common mandate in regulated sectors.

Great when having to solve collaboration but staying compliant with GDPR, HIPAA, SOC 2 & DORA regulatory demands

Delivery metadata remains fully auditable even with ZKE enabled. Only the payload body is opaque to Zekt.

• Correlation ID, timestamp, consumer, delivery status — all visible
• Payload hash stored for integrity verification without decryption
• Audit records can be exported for compliance reporting

Define which payload fields are sensitive at the provider. Redaction Guard ensures those fields are masked or omitted before the event ever reaches Zekt.

• Field-level redaction rules configured in the provider workflow
• Redacted fields are replaced with a placeholder — never stored by Zekt
• Consumers receive only the fields they are authorised to see