Skip to main content

Data Protection

Type: ExplanationCreated: Team: Security
draft

What this covers

Skapp stores personal data about real people — employees, their attendance, their leave. The GDPR (General Data Protection Regulation) sets the legal floor for how that data must be handled, and one of its core demands is that data stay protected against unauthorised access and loss. These pages explain what that obligation is and how the system is designed to meet it.

The thread runs from the rule to how we satisfy it:

  1. What GDPR is — the regulation, its principles, and why it binds Skapp.
  2. GDPR for storage — the specific articles and principles that govern how personal data must be stored and kept secure.
  3. The encryption landscape — the encryption concepts and approaches (at-rest vs in-transit, symmetric vs asymmetric, key management).
  4. Envelope encryption — the key-management technique the standard relies on: data keys wrapped by a key that never leaves KMS.
  5. Implementing envelope encryption — the general ways to put it into practice, their trade-offs, and how each aligns with GDPR.
  6. Envelope encryption in Skapp — the design we're implementing, and the reasoning behind each technical decision.

Who this is for

Anyone who needs to understand why Skapp protects data the way it does — reviewers, new engineers touching personal data, and anyone answering a compliance question. If you're building a feature and need the practical rules to follow, start with the engineering how-to Handling personal data, which links back here for the reasoning.