Data and Credential Encryption

Fivetran protects your data during the extract, processing, and load phases of the data sync. We use available encryption methods to ensure data, keys, and credentials are securely transmitted and stored.

Data encryption

The following diagram shows how Fivetran encrypts data during the extract phase of the sync:

1. The connector sync job generates a data key.

2. During the extract phase of the sync, Fivetran encrypts data fetched from the source using the data key.

3. The connector sync job sends the data key to Fivetran Secure Credentials Service.

4. (Optional) Fivetran Secure Credentials Service sends the data key to one of the following supported external KMSs:

   • AWS Key Management Service
   • Azure Key Vault
   • GCP Key Management

   In KMS, the data key is encrypted with the customer-managed key (CMK) and sent back to Fivetran Secure Credentials Server.

   NOTE: You must have a Business Critical plan to use customer-managed keys.

5. Fivetran Secure Credentials Service encrypts the data key (which is already encrypted, if the CMK is enabled) with Fivetran KMS on Google Cloud Platform (GCP).

6. Fivetran KMS sends the encrypted key to the connector sync job.

7. The connector sync job loads both the encrypted data and encrypted key (or double-encrypted key, if the CMK is enabled) to a storage bucket.

NOTE: The key and data decryption process during the load phase of the sync runs in reverse order compared to the encryption process during the extract phase.

Credential encryption

The following diagram shows how Fivetran encrypts credentials:

1. When you create a new connector, you provide the credentials in the setup form in your Fivetran dashboard or as payload parameters in the REST API request.

2. Fivetran sends the credentials to Fivetran Secure Credentials Service.

3. (Optional) The credentials are encrypted by one of the following supported external KMSs:

   • AWS Key Management Service
   • Azure Key Vault
   • GCP Key Management

   NOTE: You must have a Business Critical plan to use customer-managed keys.

4. Fivetran Secure Credentials Service encrypts the credentials (which are already encrypted, if the CMK is enabled) with Fivetran KMS on Google Cloud Platform (GCP).

5. Fivetran Secure Credentials Service sends the credentials to Fivetran production database for storage.

6. During every sync, the connector sync job requests the credentials from the Fivetran Secure Credentials Service.

7. The Fivetran Secure Credentials Service requests and receives the encrypted credentials from the Fivetran production database.

8. The Fivetran Secure Credentials Service decrypts the credentials and sends them to the connector sync job.

See the Exception section of our Security documentation to learn how Fivetran retains and stores customer credentials.