By default, Customer Experience Agent Studio encrypts customer content at rest. CX Agent Studio handles encryption for you without any additional actions on your part. This option is called Google default encryption. Google default encryption uses the same hardened key management systems that we use for our own encrypted data. These systems include strict key access controls and auditing.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including CX Agent Studio. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your CX Agent Studio resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Protected data
All agent application data-at-rest can be protected with CMEKs.
Limitations
- Key rotation is supported but data re-encryption is not. That is, re-encrypting previously encrypted data with a new key version is not supported.
- One key should be used per project location.
- Existing resources in non-CMEK integrated projects cannot be CMEK integrated retroactively. Instead, it is recommended that resources be exported and restored in a new project for CMEK.
Manage keys
Key management (create, enable, and revoke) is handled by using the Conversational Insights API.