Encryption is the final guarantee. If every other control fails — if an attacker bypasses authentication, escalates privilege, evades detection, and reaches the data — encryption ensures that what they find is unreadable. A stolen hard drive yields nothing. An intercepted email reveals nothing. A compromised database exports nothing. Encryption does not prevent breach. It prevents consequence.
Ariana Nexus encrypts all data — at rest, in transit, and in use — across every system, device, and communication channel. Encryption is not an optional feature applied to sensitive data. It is the default state of all data within the Ariana Nexus environment. The question is never "should we encrypt this?" The question is "what encryption standard does this data require?"
All data stored within the Ariana Nexus environment is encrypted at rest. Encryption at rest protects data against unauthorized physical access to storage media, including theft of devices, unauthorized access to data centers, and forensic extraction from decommissioned hardware.
Microsoft 365 Service Encryption:
All data stored in Microsoft 365 services — including Exchange Online (email), SharePoint Online (documents and sites), OneDrive for Business (personal file storage), and Microsoft Teams (messages, files, and recordings) — is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys), one of the strongest symmetric encryption algorithms in commercial use. This encryption is applied automatically by the Microsoft 365 platform at the service layer.
Endpoint Encryption (Full-Disk):
All company devices — laptops, desktops, and mobile devices — are required to have full-disk encryption enabled and enforced through Microsoft Intune compliance policies:
Purview Information Protection (Document-Level Encryption):
For Confidential-tier and Restricted-tier data (as defined in the Data Protection & Classification page), Microsoft Purview Information Protection applies an additional layer of document-level encryption through Sensitivity Labels:
All data transmitted to, from, and within the Ariana Nexus environment is encrypted in transit. Encryption in transit protects data against interception, eavesdropping, and man-in-the-middle attacks.
TLS (Transport Layer Security):
Email Encryption:
Ariana Nexus implements multiple layers of email encryption:
VPN and Remote Access:
Encryption in use — protecting data while it is being actively processed in memory — is an emerging capability that Ariana Nexus monitors and plans to adopt as the technology matures:
Ariana Nexus currently uses Microsoft-managed encryption keys for all Microsoft 365 service encryption and Azure Rights Management Service encryption. Under this model:
Why This Model Is Appropriate Today:
For an organization at Ariana Nexus's current scale operating within Microsoft 365 Business Premium, Microsoft-managed keys provide enterprise-grade encryption with the operational simplicity and reliability of Microsoft's global infrastructure. The keys are managed within FIPS-validated HSMs, rotated automatically, and governed by Microsoft's extensively audited security program. This model satisfies the encryption requirements of HIPAA, NIST SP 800-171, GDPR, and CCPA.
As Ariana Nexus matures and the complexity of its engagements grows — particularly in government, defense, and sovereignty-sensitive contexts — the organization will transition to a customer-managed key model:
Phase 1 — Evaluation (2027): Evaluate Microsoft 365 Customer Key, which allows Ariana Nexus to provide and control root encryption keys for Microsoft 365 data at rest using keys stored in Azure Key Vault. Evaluate Azure Key Vault HSM-backed key storage for managing encryption keys within Ariana Nexus's own Azure tenant. Assess requirements for government engagements that mandate customer-controlled encryption (e.g., CMMC, FedRAMP, ITAR).
Phase 2 — Deployment (2027–2028): Deploy Microsoft 365 Customer Key for Exchange Online, SharePoint Online, and Teams, giving Ariana Nexus control over the root encryption keys for all data at rest. Deploy Azure Key Vault with HSM protection for managing application-level encryption keys. Implement key rotation policies and key access audit logging within Ariana Nexus's own infrastructure.
Phase 3 — Advanced Key Sovereignty (2028–2030): Deploy Double Key Encryption for the highest-sensitivity engagements, adding a customer-controlled key layer that prevents even Microsoft from accessing the data. Evaluate Hold Your Own Key (HYOK) models for engagements requiring that encryption keys never leave Ariana Nexus's physical or logical control. Implement key management procedures compliant with NIST SP 800-57 (Recommendation for Key Management).
Phase 4 — Post-Quantum Readiness (2030+): Monitor NIST Post-Quantum Cryptography (PQC) standardization and migration timelines. Develop a cryptographic agility plan to transition from current encryption algorithms (AES, RSA, ECC) to quantum-resistant algorithms as standards are finalized and platform support becomes available. This aligns with Ariana Nexus's multi-decade operational horizon through 2080, ensuring that data encrypted today remains secure against future quantum computing threats.
Data at rest (M365 services) — AES-256, 256-bit. Microsoft service encryption, per-file and per-database.
Data at rest (Windows devices) — AES-256 (BitLocker), 256-bit. Enforced via Intune compliance policy.
Data at rest (macOS devices) — XTS-AES-128 (FileVault), 128-bit. Enforced via Intune compliance policy.
Data at rest (iOS devices) — AES-256 (hardware), 256-bit. Device-level, hardware-backed.
Data at rest (Android devices) — AES-256 (device encryption), 256-bit. Enforced via Intune compliance policy.
Document-level encryption — AES-256 (Azure RMS), 256-bit. Purview Sensitivity Labels (Confidential, Restricted).
Data in transit (web) — TLS 1.2+, 256-bit session keys. HTTPS enforced for ariananexus.com and all M365 services.
Data in transit (email) — TLS 1.2+, 256-bit session keys. Opportunistic TLS for all Exchange Online connections.
Email content encryption — AES-256 (OME / Azure RMS), 256-bit. Office Message Encryption and Sensitivity Label encryption.
Key storage (current) — FIPS 140-2 Level 2/3 HSMs. Microsoft-managed HSM infrastructure.
Key storage (roadmap) — Azure Key Vault HSM, configurable. Customer-managed keys, target 2027–2028.
Ariana Nexus's encryption and key management architecture is designed in alignment with the following recognized frameworks and standards:
HIPAA Security Rule (45 CFR § 164.312(a)(2)(iv), § 164.312(e)(1)) — Encryption of ePHI at rest and in transit. Aligned — AES-256 at rest, TLS 1.2+ in transit, Purview encryption for PHI documents.
NIST SP 800-171 Rev. 2 / Rev. 3 — SC-13 (Cryptographic Protection), SC-8 (Transmission Confidentiality). Aligned — FIPS-validated encryption for data at rest and in transit (Rev. 2 current for DoD/CMMC; Rev. 3 transition planned per DoD rulemaking).
NIST SP 800-57 — Key management lifecycle (generation, distribution, storage, rotation, destruction). Roadmap — currently Microsoft-managed; CMK with NIST 800-57 compliance planned (2027–2028).
CMMC Level 2 — System and Communications Protection (SC) domain. Roadmap (2027) — encryption controls implemented, CMK planned for certification.
GDPR (Article 32) — Encryption as appropriate technical measure for security of processing. Aligned — encryption at rest, in transit, and at document level.
UK GDPR — Same as GDPR. Aligned.
FIPS 140-2 / 140-3 — Cryptographic module validation. Aligned — Microsoft infrastructure uses FIPS 140-2 Level 2/3 validated HSMs.
PCI DSS (if applicable) — Encryption of cardholder data. Not currently applicable — Ariana Nexus does not process payment card data on its systems.
NIST PQC Standards — Post-quantum cryptographic algorithms. Roadmap (2030+) — monitoring NIST PQC standardization, cryptographic agility planning.
SOC 2 (Trust Services Criteria) — CC6.1 — Encryption of data at rest and in transit. Roadmap (2026–2027) — controls operational, audit planned.
ISO 27001:2022 — Annex A.8.24 — Use of Cryptography. Roadmap (2027) — controls aligned, certification planned.
EU AI Act — Data protection measures for AI training data. Aligned — Restricted-tier encryption for AI data containing PII.
Protected Health Information is encrypted at every layer: at rest in SharePoint via Microsoft service encryption (AES-256), in transit via TLS 1.2+, at the document level via Purview Sensitivity Labels (Restricted tier, Azure RMS encryption), on endpoints via BitLocker/FileVault, and in email via OME or Sensitivity Label encryption. Encryption satisfies the HIPAA Security Rule addressable implementation specification for encryption of ePHI at rest (45 CFR § 164.312(a)(2)(iv)) and the standard for transmission security (45 CFR § 164.312(e)(1)).
Controlled Unclassified Information is encrypted using FIPS-validated cryptographic modules at rest and in transit, satisfying NIST SP 800-171 control SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity). Customer-managed keys via Azure Key Vault are on the roadmap to provide Ariana Nexus-controlled key management for CUI environments, addressing government expectations for key sovereignty.
AI training data containing personally identifiable information is classified as Restricted and encrypted at the document level via Purview Sensitivity Labels. Data provenance records and annotation outputs inherit the encryption classification of the underlying dataset. Client-provided AI data is encrypted using the same standards, with additional encryption layers applied per the Data Processing Agreement where required.
Research data involving human subjects or sensitive academic data is encrypted based on its classification tier. Restricted-tier research data receives full document-level encryption with access limited to the approved research team.
For procurement officers: Every piece of data you entrust to Ariana Nexus is encrypted at rest (AES-256), in transit (TLS 1.2+), and at the document level (Azure RMS) for sensitive classifications. Encryption is not optional — it is the default state of all data in our environment. We can provide encryption configuration evidence and compliance mapping on request.
For CISOs: Our encryption architecture uses Microsoft's FIPS 140-2 Level 2/3 validated infrastructure with a defined path to customer-managed keys, giving you confidence in the cryptographic foundation today and key sovereignty in the future. Full-disk encryption is enforced on every device through Intune — no exceptions.
For compliance officers: Our encryption standards satisfy the cryptographic requirements of HIPAA, NIST SP 800-171, GDPR Article 32, and FIPS 140-2. Encryption key management is currently Microsoft-managed with full audit trail availability through the Microsoft Service Trust Portal. Our roadmap to customer-managed keys addresses the key sovereignty requirements of CMMC, FedRAMP, and advanced government engagements.
For government contracting officers: CUI encryption uses FIPS-validated modules. Customer-managed keys via Azure Key Vault are planned for 2027–2028, aligned with our CMMC Level 2 certification target. Post-quantum cryptographic migration is on our long-term roadmap, ensuring data encrypted today remains protected against future threats.
If your organization requires encryption architecture documentation, key management evidence, or a cryptographic compliance briefing, contact trust@ariananexus.com or +1 (202) 771-0224.
Ariana Nexus views encryption and key management as a multi-year journey. The following roadmap reflects our planned maturation path:
AES-256 at rest across all M365 services. TLS 1.2+ in transit. BitLocker/FileVault enforced on all devices. Purview Sensitivity Label encryption for Confidential and Restricted data. OME for encrypted external email. Microsoft-managed keys in FIPS 140-2 validated HSMs.
Customer Key evaluation and deployment (Azure Key Vault). S/MIME evaluation for certificate-based email encryption. SOC 2 Type II audit (CC6.1 encryption controls). NIST SP 800-57 key management alignment.
Customer-managed keys deployed for M365 data at rest. Azure Key Vault HSM-backed key storage operational. CMMC Level 2 SC domain certification. ISO 27001 Annex A.8.24 certification.
Double Key Encryption for sovereignty-grade engagements. Hold Your Own Key evaluation. FedRAMP encryption requirements. Confidential computing evaluation for AI workloads.
Post-quantum cryptographic algorithm migration. Cryptographic agility framework. Quantum key distribution evaluation. Long-horizon data protection through 2080.
No Guarantee of Encryption Invulnerability. Ariana Nexus implements encryption using commercially recognized standards and FIPS-validated infrastructure. However, no encryption algorithm is guaranteed to be permanently invulnerable. Advances in computing technology, including quantum computing, may affect the long-term security of current encryption standards. Ariana Nexus monitors cryptographic developments and plans for algorithm migration as described in the roadmap, but does not warrant that currently encrypted data will remain secure against all future technological capabilities.
Microsoft-Managed Key Dependency. Ariana Nexus currently relies on Microsoft-managed encryption keys. While Microsoft's key management infrastructure is FIPS 140-2 validated and independently audited, Ariana Nexus does not control Microsoft's key management operations and disclaims liability for any incident attributable to Microsoft's key management infrastructure. Customer-managed keys are on the roadmap to provide Ariana Nexus with direct key control.
Roadmap Items. The maturity roadmap reflects current plans as of the Effective Date. Roadmap items, including customer-managed keys, Double Key Encryption, and post-quantum migration, are forward-looking statements and not binding commitments. Ariana Nexus reserves the right to modify roadmap items at its sole discretion.
Client-Specific Encryption Obligations. The encryption standards described on this page represent Ariana Nexus's general organizational posture. Specific encryption requirements for individual client engagements are defined in the applicable Engagement Agreement. Where a client requires encryption standards beyond those described herein, such requirements will be addressed through the engagement-specific Data Protection Plan.
Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ARIANA NEXUS'S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO ENCRYPTION AND KEY MANAGEMENT SHALL NOT EXCEED THE AMOUNTS SET FORTH IN THE APPLICABLE ENGAGEMENT AGREEMENT, OR, WHERE NO ENGAGEMENT AGREEMENT EXISTS, ONE HUNDRED DOLLARS ($100). ARIANA NEXUS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING FROM OR RELATED TO ANY ENCRYPTION FAILURE, KEY COMPROMISE, OR CRYPTOGRAPHIC VULNERABILITY. NOTHING IN THIS SECTION SHALL LIMIT OR EXCLUDE ARIANA NEXUS'S LIABILITY FOR: (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE; OR (C) ANY OTHER LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW, INCLUDING BUT NOT LIMITED TO LIABILITY UNDER THE UK UNFAIR CONTRACT TERMS ACT 1977, THE UK CONSUMER RIGHTS ACT 2015, OR GDPR.
Dispute Resolution. Any dispute arising out of or relating to this page shall be subject to the dispute resolution provisions in the Terms of Use, Section 18.
This page is provided for informational purposes and does not constitute a warranty, guarantee, or binding commitment regarding Ariana Nexus's encryption or key management capabilities. Capabilities described herein are subject to change. Nothing in this page shall be construed as a waiver of any right, defense, or immunity available to Ariana Nexus under applicable law.
