Zero-access encryption (Enterprise)
Zero-access encryption is an Enterprise feature. Your Discord support data is encrypted at rest, wrapped in your key management system (KMS). Thoth operators cannot read ticket content, transcripts, knowledge, or user identifiers in our internal admin tools—even when supporting your account.
Your team keeps working exactly as before in Discord and in your server’s dashboard. Encryption and decryption happen automatically for authorized guild operations. What changes is who can see plaintext outside your organization.
Contact sales
Zero-access encryption is enabled by the Thoth team for Enterprise servers (not self-serve checkout). If you need zero-access encryption, contact us or reach out through your account channel.
What problem this solves
Most SaaS products can read customer data at rest. That is fine for many teams, but regulated or security-sensitive organizations often need a stronger guarantee: the vendor should not be able to browse support conversations in their own backend.
Zero-access encryption is built for that requirement. It does not replace your Discord permissions or dashboard access controls—it adds a layer so Thoth’s platform staff are locked out of content, while your guild team retains normal access.
What you control
| You hold | Purpose |
|---|---|
| KMS key | Wraps and unwraps a per-server data encryption key (DEK). Without your KMS, encrypted blobs cannot be read. |
| LLM API key | Powers AI replies and embeddings for your server. Stored encrypted; used only for your guild’s requests. |
Thoth never needs plaintext access to your KMS or LLM credentials after setup. Credentials you provide are stored encrypted in our database.
What stays protected
When zero-access is enabled for a server, the following categories are encrypted at rest:
Support conversations
- Ticket message content, author names, and attachment URLs
- Ticket metadata (for example subject lines)
- Ticket event messages and actor references
- Transcript previews and archived transcript files in object storage
Knowledge base
- Document titles and body text (uploads, pasted content, synced docs, learned tips)
Feedback and quality signals
- CSAT comments and submitter references
- Tip extraction content and reasoning text
- User feedback messages and display names (for members of your server)
Identity handling
- Discord user IDs are stored as pseudonyms (one-way tokens for queries) with the real ID kept in an encrypted vault. This preserves ticket workflows without storing raw IDs in searchable columns.
What is not encrypted by default
- Vector embeddings used for knowledge search remain plaintext in the database by default. This keeps semantic search fast and accurate. A stricter mode to encrypt embeddings is available at setup time; it trades some search convenience for maximum at-rest protection (see Embeddings below).
Non-sensitive operational fields (timestamps, ticket status, channel IDs, billing counters, etc.) remain unencrypted so the product can function.
What Thoth operators cannot do
For zero-access servers, Thoth’s internal platform admin views show redacted placeholders instead of real content—tickets, messages, knowledge, tips, and feedback appear as [encrypted — zero-access tier] or similar.
Additionally, for these servers we disable:
- Recording AI prompt/response content in error monitoring
- Feedback webhook payloads that would leak message text
- Other telemetry paths that would store customer content outside your encryption boundary
Your guild’s own dashboard and Discord flows continue to decrypt data for authorized team members and the bot at runtime.
How encryption works (plain language)
Each Enterprise server with zero-access enabled gets its own data encryption key (DEK)—a random key used to encrypt fields and files.
- When zero-access is enabled, Thoth generates a DEK.
- The DEK is wrapped (encrypted) using your KMS key. Only the wrapped form is stored in our database.
- When the bot or dashboard needs to read or write protected data, Thoth unwraps the DEK through your KMS (in memory), encrypts or decrypts the specific fields, and discards the key material from the process when done.
Your KMS key
│
▼ wraps / unwraps
Per-server DEK ──► encrypts ticket text, knowledge, transcripts, etc.If someone copied our database without access to your KMS, they would see ciphertext—not your users’ messages.
Field-level encryption uses industry-standard AES-256-GCM envelopes. Each encrypted value is independently authenticated.
Supported KMS providers
During setup you choose where the DEK is wrapped:
| Provider | Typical use |
|---|---|
| AWS KMS | Production deployments on AWS; use an IAM role or supply credentials Thoth can use to Encrypt/Decrypt. |
| Google Cloud KMS | GCP-hosted keys and workload identity. |
| Azure Key Vault | Azure environments with Key Vault keys. |
| HashiCorp Vault | Transit engine keys for teams standardizing on Vault. |
| Local (development only) | Wraps DEKs with the platform SECRETS_ENCRYPTION_KEY. For staging and engineering—not for production customer data. |
You provide:
- Key ID / ARN (provider-specific identifier)
- Region (where required, e.g. AWS)
- Optional credentials JSON if Thoth cannot use ambient cloud IAM
The setup wizard includes a Test KMS connection step that performs a wrap/unwrap cycle before anything is enabled.
Bring your own LLM (BYOK)
Enterprise servers with zero-access enabled use your LLM provider credentials for:
- AI replies in tickets and related flows
- Text embeddings for knowledge ingest and search (unless strict embedding encryption is enabled)
Supported providers: OpenAI and xAI. You may supply a custom base URL if you use a proxy or compatible endpoint.
Thoth’s shared platform API keys are not used for zero-access guilds. If your key is revoked or misconfigured, AI features for that server stop until you update credentials.
Setup process
Setup is performed by Thoth platform staff in the Zero-access setup wizard (Admin → Guild billing → Set up encryption for Enterprise servers).
Before you start
- Enterprise plan assigned to the server (contact sales).
- KMS key created with permissions for Thoth to wrap and unwrap small payloads (the DEK).
- LLM API key with sufficient quota for your expected ticket and knowledge volume.
- Maintenance window for the one-time backfill that re-encrypts existing tickets, messages, knowledge, transcripts, and related rows.
Wizard steps
- Overview — Confirms prerequisites and explains the impact on operator access.
- Encryption keys — KMS provider, key ID, region, optional credentials; test connection.
- LLM provider — Provider, API key, optional base URL.
- Review — Confirm settings; optional strict embedding encryption.
- Enable & backfill — Turns on zero-access and encrypts historical data. You receive counts of tickets, messages, documents, and transcripts processed.
If zero-access is already active, the same page allows re-running the backfill after key rotation or recovery operations.
What we need from you
Send your security or platform team’s preferred secure channel:
- KMS provider and key identifier
- Region (if applicable)
- Whether Thoth should use IAM/workload identity or explicit credentials
- LLM provider and API key (or a process to rotate keys through Thoth support)
- Whether you require strict encrypted embeddings
Thoth completes the wizard on your behalf and confirms backfill results.
After enable: what changes for your team
In Discord — No change. Users open tickets; staff reply; Thoth answers from knowledge as usual.
In your server dashboard — No change for authorized team members. Tickets, knowledge, Playground, and transcripts display normally.
In Thoth platform admin — Support staff cannot read your content when helping with billing or infrastructure issues. They can still see non-sensitive metadata (server name, plan, ticket counts, timestamps) to operate the platform.
Embeddings and search
Knowledge search relies on vector embeddings. By default on zero-access Enterprise servers, document text is encrypted but embeddings are stored in plaintext so pgvector similarity search continues to work without loading entire libraries into memory.
Residual semantic exposure
Plaintext embeddings can leak approximate topic information to someone with database access, even if document text is encrypted. For most teams, encrypted content plus operator lockout is the right balance.
At setup you may enable Encrypt knowledge embeddings for maximum at-rest protection. In that mode, search behavior may differ (similarity runs after decrypting vectors in memory). Discuss trade-offs with Thoth before enabling in production.
Key rotation and recovery
- LLM key rotation — Provide a new API key through your Thoth contact; we update the encrypted credential without re-encrypting all content.
- KMS key rotation — Coordinate with Thoth to re-wrap the server DEK with a new KMS key version and re-run backfill if needed.
- Loss of KMS access — If your KMS key is deleted or permissions revoked, Thoth cannot unwrap the DEK. Encrypted data becomes unrecoverable. Treat your KMS key with the same care as a database backup encryption key.
We recommend documenting which KMS key wraps each production server and including it in your disaster-recovery runbooks.
Security review checklist
Use this list when evaluating zero-access Enterprise internally:
- [ ] Per-server DEK wrapped by customer-controlled KMS
- [ ] Ticket, knowledge, transcript, and PII-class fields encrypted at rest
- [ ] Discord IDs tokenized; raw IDs not stored in plaintext query columns
- [ ] Thoth operator admin cannot decrypt guild content
- [ ] AI and feedback telemetry disabled for content exfiltration paths
- [ ] Customer-supplied LLM credentials; platform keys not used
- [ ] One-time backfill encrypts historical data and R2 transcript objects
- [ ] Embeddings strategy documented (default vs strict mode)
Frequently asked questions
Is zero-access the same as end-to-end encryption in Discord?
No. Discord messages in ticket channels are visible to your staff and the bot under normal Discord permissions. Zero-access protects data at rest in Thoth’s systems and blocks Thoth operator access—not encryption of Discord’s own transport or your staff’s view.
Can Thoth support debug a ticket content issue?
Not by reading message bodies in admin. Support relies on your team’s description, reproducible steps, and non-content logs (errors, timestamps, configuration). For deep debugging you may temporarily reproduce in a non-zero-access staging server.
Does encryption slow down tickets?
Wrapping and field encryption add small overhead. In practice, ticket flows remain responsive; the backfill is the only operation that may take noticeable time on large histories.
Can we enable zero-access encryption later?
Yes. Assign Enterprise, complete the zero-access setup wizard, and run backfill. Plan the migration window with Thoth so existing data is encrypted before you rely on operator lockout.
Can we disable zero-access encryption?
Contact Thoth. Moving off zero-access requires a deliberate key and data migration plan; do not delete KMS keys while data is still encrypted.