Bring Your Own Key (BYOK) lets a merchant supply the Key Encryption Key (KEK) that wraps the provider’s Data Encryption Keys (DEKs). The provider stores encrypted data and wrapped DEKs but cannot decrypt tenant payloads without the merchant’s KMS granting unwrap at runtime.
BYOK addresses enterprise procurement requirements: key custody, crypto-shredding on contract exit, and alignment with internal key ceremonies. It is not a substitute for choosing a trustworthy operator (insider risk and application vulnerabilities remain), but it shifts data-at-rest control.
Implementations differ. Some vendors offer HYOK (hold your own key) with stricter models; others offer cosmetic BYOK where operational keys still live entirely on provider HSMs. Review the responsibility matrix and test key revocation behavior before production.
Veliro BYOK wraps per-tenant DEKs with customer KMS keys. Exiting Veliro involves revoking unwrap policy, rendering ciphertext at rest unusable, while you migrate tokens and forwarding rules on your schedule. BYOK pairs with TRID-owned tokens so custody and portability align.
Contract exit clauses should distinguish crypto-shredding (keys you control) from token migration (scheme relationships you own); both matter, but they are different runbooks.