Skip to main content
Genie9

Encryption

AES-256 at rest. Per-tenant keys. Yours.

Every chunk encrypted AES-256 at rest. Per-tenant master keys. Zero-knowledge mode available via Nygma cross-product integration. TLS 1.3 in transit. Keys never leave your account, never readable by Genie9 staff.

Start Free TrialSee pricing
EncryptionAES-256
At restAES-256-GCM · per chunk
In transitTLS 1.3
KeysPer-tenant · never staff-readable
Zero-knowledge mode available via the Nygma integration.
AES-0
At rest
GCM, per chunk
TLS 0
In transit
certificate-pinned
Per-tenant
Master keys
HSM-protected
Zero-knowledge
Optional via Nygma

The layers

Encrypted at every step.

At rest, in transit, and — when you need it — end-to-end where even Genie9 can’t read your data. Five layers of key control, plus a sixth promise: the keys are yours.

At rest

AES-256-GCM authenticated encryption per chunk. Per-tenant master key (data encryption key wrapped per tenant). Hardware security module (HSM) protected key material.

In transit

TLS 1.3 to all BigMind cloud endpoints. Certificate pinning in agent.

Zero-knowledge (Nygma cross-product)

For organizations needing absolute zero-knowledge: Nygma Cloud integration encrypts client-side with a key only the customer holds. Genie9 cannot decrypt under any circumstance — including subpoena. Trade-off: zero-knowledge means no AI Lens (we can’t index what we can’t read).

Key rotation

Per-tenant DEK rotated per policy (default annual). Re-encryption is incremental (re-wrap the DEK, not re-encrypt every chunk).

Key access modes

Standard mode: BigMind manages keys, can decrypt for AI Lens / Cloud Desktop. Zero-knowledge mode (Nygma): customer holds keys; BigMind cannot read data. Hybrid: select-folder zero-knowledge with rest standard.

Yours, end to end

Keys never leave your account and are never readable by Genie9 staff. Every chunk is encrypted AES-256 at rest before it leaves the machine.

Zero-knowledge by choice

The one mode where even we can’t read it.

For organizations needing absolute zero-knowledge, Nygma Cloud integration encrypts client-side with a key only the customer holds. Genie9 cannot decrypt under any circumstance — including subpoena. The trade-off is honest: zero-knowledge means no AI Lens, because we can’t index what we can’t read. Choose per-folder with Hybrid mode, or all-in.

  • Standard: BigMind manages keys, can decrypt for AI Lens / Cloud Desktop
  • Zero-knowledge (Nygma): customer holds keys; BigMind cannot read data
  • Hybrid: select-folder zero-knowledge with the rest standard
Talk about Zero-Knowledge
Key access modes and audit trail in BigMind Recovery ShieldClick to enlarge

Encrypted by default. Zero-knowledge by choice.

AES-256 at rest, TLS 1.3 in transit, per-tenant keys — with optional client-side zero-knowledge via Nygma.

Start Free TrialSee pricing