A Data Encryption Key (DEK) encrypts application data at rest: vaulted PAN segments, sensitive metadata, or configuration secrets. Best practice uses envelope encryption: each tenant or record set has its own DEK, and DEKs are themselves wrapped by a Key Encryption Key (KEK) stored in an HSM or cloud KMS.
Per-tenant DEKs limit blast radius. Compromise of one DEK does not decrypt every merchant’s estate. Rotation policies should re-wrap DEKs periodically and after personnel changes without forcing mass re-tokenization of live credentials.
Merchants with regulatory drivers (financial services, healthcare adjacent commerce) often ask whether they can supply the wrapping key. That is the BYOK pattern: you hold the KEK in your KMS; the provider holds ciphertext and operational DEKs.
Veliro scopes DEKs per tenant for vault isolation. BYOK customers wrap Veliro-issued DEKs with keys in AWS KMS, GCP KMS, or compatible stores, documented in the security architecture guide. DEK design is what makes “shared infrastructure, isolated data” technically true, not marketing.
Document which systems cache decrypted payloads in memory during authorization forwarding; DEKs protect data at rest, not transient application buffers that mishandle logging.