Post: Why HR Teams Should Control Their Own Encryption Keys — Not Their Vendors
The Uncomfortable Truth About Vendor-Managed Encryption
Most HR SaaS platforms advertise “AES-256 encryption” as a security guarantee. What they do not prominently disclose: if they hold the encryption keys, they can decrypt your data. Their employees can access it for support. Their systems expose it if breached. Their subprocessors may inherit access to it through service agreements you never saw.
This is not a hypothetical concern. In 2023 and 2024, multiple HR SaaS platforms experienced incidents where vendor-side access to customer data was either exploited or inadvertently exposed. In every case, customer organizations were helpless because they did not control their keys. Our OpsMap™ security audits flag vendor key custody as a critical governance gap in 70% of HR environments we assess.
The Self-Custody Case: 4 Arguments
Argument 1: You Cannot Audit What You Do Not Control
GDPR Article 5 requires you to demonstrate accountability for data protection. If your vendor holds the keys, you cannot audit who in their organization has accessed your data, when, or why. You are trusting their word and their audit reports. Self-custody removes this blind spot entirely — your access logs are your access logs.
Argument 2: Vendor Breaches Should Not Be Your Data Breaches
With self-managed keys, a breach of your HR SaaS vendor’s infrastructure exposes encrypted data — but your employees’ actual records remain protected because the attacker does not have your keys. You still have an incident to manage, but you do not have a notifiable data breach under GDPR or HIPAA. That distinction is worth millions in potential fines and reputational damage.
Argument 3: Offboarding a Vendor Requires True Data Deletion
When you stop using an HR SaaS platform, can you guarantee your employee data was truly deleted? With vendor-managed keys, you rely on their deletion processes and attestations. With self-managed keys, you revoke the key. The data on their servers becomes permanently indecipherable. That is cryptographic deletion — the strongest form available.
Argument 4: The Compliance Landscape Is Moving Toward Key Ownership
EU AI Act Article 9 requires risk management systems for high-risk AI. GDPR Article 25 requires privacy by design. HIPAA’s technical safeguards continue to be interpreted more strictly for cloud environments. The regulatory trend is toward demonstrable data control — and key custody is the most defensible form of that control.
The Practical Path to Self-Managed Keys
Not every HR system supports customer-managed encryption keys (CMEK). Start by auditing which of your HR SaaS platforms offer CMEK as an option — it is usually available on enterprise tiers. For platforms that do not offer CMEK, compensate with strong contractual controls: explicit data deletion warranties, prohibition on using your data for model training, and annual audit report requirements. Our OpsBuild™ security framework prioritizes CMEK implementation for systems holding compensation, health, and identity data first.
- Vendor-managed encryption keys mean the vendor can access your HR data — this is a governance and compliance exposure, not just a theoretical risk
- Self-managed keys (CMEK) convert a vendor breach from a data breach into an encrypted data exposure — a meaningful legal and practical distinction
- Cryptographic deletion via key revocation is stronger than contractual deletion warranties
- GDPR accountability requirements are harder to satisfy when you cannot audit your own data access logs
- The first step is auditing which HR SaaS platforms in your stack offer CMEK — many do, but it requires an enterprise tier or explicit request
Frequently Asked Questions
What is key custody in HR data security?
Key custody refers to who holds and controls the encryption keys that protect HR data. Vendor-managed custody means your SaaS provider holds the keys. Self-managed custody means your organization controls the keys and the vendor cannot decrypt your data without your authorization.
Why does key custody matter for GDPR compliance?
Under GDPR, you are the data controller and bear ultimate responsibility for protecting employee personal data. If your vendor holds your encryption keys and is breached, your data is exposed even though you did not cause the breach. Self-custody means a vendor breach does not automatically mean a data breach for your employees.
What are the practical challenges of self-managed encryption keys for HR?
Key management requires a key management service (KMS), regular rotation procedures, access controls on the KMS itself, backup procedures for key recovery, and trained staff. These are manageable for most mid-size organizations using a cloud KMS like AWS KMS or Google Cloud KMS.
For the complete HR data governance framework, see our pillar resource: Make.com Webhook Security: Fortifying HR Data Against Breaches.
RELATED POST
