How data is protected in transit and at rest on the managed stack — plus BYOB and roadmap.
Browser and API traffic terminates TLS at Cloudflare edge per modern suites. Custom hostnames use your zone’s TLS configuration when applicable.
R2, D1, and other Cloudflare primitives rely on provider-managed encryption and access boundaries. See Cloudflare trust documentation for their underlying controls.
When you attach your bucket, encryption keys and bucket policies are yours to configure (SSE-KMS, dual-layer, etc.).
We track demand for tenant-scoped key hierarchies or customer-held keys for selected payloads. Availability depends on architecture and Cloudflare primitives — not promised on a fixed date.