Data residency & encryption
Region pinning (apac/use/euw), AES-256-GCM at rest, TLS 1.3 in transit, BYOK option.
What it is
Residency — every resource is region-pinned. Choose apac, use, or euw at creation. Data does not traverse region boundaries unless you explicitly replicate. Backups land in the same region.
At rest — AES-256-GCM with per-object DEKs wrapped by per-tenant KEKs. KEKs are stored in our managed key service; you can optionally BYOK for object storage.
In transit — TLS 1.3 on every external surface; mTLS on every internal control-plane / worker link.
Backups — immutable, region-local, 35-day point-in-time recovery for the control-plane database. Object storage versions are configurable per bucket.
Deletion — DELETE /v1/... flags resources for deletion; the underlying storage is cryptographically erased within 24 h (KEK destroyed) and physically reclaimed within 30 days.
Quickstart
# Pin a bucket to apac and lock it
asc storage create my-bucket --region apac --residency-lock
# BYOK
asc storage byok set my-bucket --key-ref kms:arn:my-own-keyclient.storage.create_bucket('my-bucket', region='apac', residency_lock=True)
client.storage.byok.set('my-bucket', key_ref='kms:arn:my-own-key')await client.storage.createBucket('my-bucket', { region: 'apac', residencyLock: true });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| PITR window | 35 days | — | Control plane DB |
| Crypto-erase SLA | 24 h | — | From delete request |
| Physical reclamation | 30 days | — |
API surface
POST /v1/storage/{bucket}/byok