Security is non-negotiable

At Okinawa, we treat security as a foundational requirement, not an add-on. Every piece of data that flows through our platform — API keys, workflow payloads, integration credentials, and agent outputs — is protected by multiple layers of encryption and access control.

This guide covers how encryption works in Okinawa, what privacy controls are available to you, and how to configure them for your organization's needs.

Encryption at rest

All data stored in Okinawa is encrypted at rest using AES-256 encryption. This includes:

• Workflow definitions — Your automation logic and configuration
• Execution logs — Input/output data from every workflow run
• Integration credentials — API keys and OAuth tokens stored in our vault
• Agent memory — Historical data agents use for learning
• User data — Account information, team settings, and preferences

Encryption keys are managed through AWS KMS with automatic key rotation every 90 days. You can also bring your own keys (BYOK) for added control.

Encryption in transit

All communication between your browser, CLI, API clients, and Okinawa servers is encrypted using TLS 1.3. This applies to:

• Dashboard and web interface traffic
• API requests and responses
• Webhook payloads (both incoming and outgoing)
• CLI commands and responses
• Agent-to-server communication

We also support mutual TLS (mTLS) for self-hosted cloud agents, ensuring that both the client and server authenticate each other before any data is exchanged.

Credential storage

Integration credentials (API keys, OAuth tokens, etc.) are stored in a dedicated secrets vault with the following protections:

• Encrypted with per-tenant keys
• Access-logged with full audit trail
• Never exposed in workflow logs or API responses
• Automatically rotated on a configurable schedule
• Revocable instantly from the dashboard

Data residency

For organizations with data residency requirements, Okinawa supports regional deployments in the following locations:

• United States — US-East (Virginia) and US-West (Oregon)
• European Union — EU-West (Frankfurt) and EU-North (Stockholm)
• Asia Pacific — AP-Southeast (Singapore) and AP-Northeast (Tokyo)

All workflow executions and data storage remain within your selected region. Self-hosted deployments keep all data within your own network.

Configuring privacy settings

Navigate to Settings → Security → Privacy to configure:

• Log retention — How long execution logs are stored (default: 90 days)
• Data masking — Automatically redact sensitive fields in logs
• IP allowlisting — Restrict API access to specific IP ranges
• Audit logging — Enable detailed audit trails for compliance