# Encryption

## Data in transit

All communication between clients and Rockhopper is encrypted with TLS 1.2 or higher. Unencrypted connections are never accepted.

| Channel               | Protocol                      |
| --------------------- | ----------------------------- |
| Web application       | HTTPS (TLS 1.2+)              |
| Excel add-in          | HTTPS (TLS 1.2+)              |
| Google Sheets sidebar | HTTPS (TLS 1.2+)              |
| Real-time updates     | WSS (TLS-encrypted WebSocket) |
| Microsoft Graph API   | HTTPS (TLS 1.2+)              |
| Google APIs           | HTTPS (TLS 1.2+)              |

SSL certificates are managed and renewed automatically. All HTTP requests are redirected to HTTPS.

![SSL certificate details for \*.rockhopper.co](/files/goEXQOuqidE0fZGVm0yC)

## Data at rest

All persistent data is encrypted using AWS-managed encryption services:

| Storage layer           | Encryption                                   |
| ----------------------- | -------------------------------------------- |
| Database (PostgreSQL)   | AWS RDS encryption with AES-256              |
| Version snapshots (S3)  | Server-side encryption (SSE-S3) with AES-256 |
| Secrets and credentials | AWS Secrets Manager with KMS                 |

![S3 bucket encryption settings showing SSE-S3 with AES-256](/files/vvu5ohyuqG5P1H4j5BoF)

## Authentication tokens

Rockhopper uses OAuth 2.0 for authentication with Microsoft Entra ID and Google Identity. Microsoft access tokens are:

* Held in memory only during the user's active session
* Never persisted to disk, database, or browser storage by Rockhopper
* Transmitted exclusively over encrypted channels

Google OAuth refresh tokens are encrypted and stored in the database to maintain persistent file access for change tracking.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rockhopper.co/security-and-compliance/encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.