Hi All,
I need to know if we allow BYOK approach for pega cloud Sales Automation application how we support for Digital Channel.
@Gaurav25 
This is a GenAI-powered tool. All generated answers require validation against the provided references.
BYOK Support for Pega Cloud Sales Automation
Yes, Pega Cloud does support BYOK encryption for applications, including Sales Automation. For Pega Cloud deployments, Pega manages the infrastructure-level encryption keys for your environment automatically, including key rotation on a periodic basis through a FIPS 140-2 compliant Key Management Service (KMS).
All client data stored in volumes, databases, and object storage buckets in a Pega Cloud environment are encrypted with 256-bit encryption by default. This applies to Sales Automation applications as well.
BYOK Support for Digital Channel
For Digital Channels specifically, BYOK encryption is supported from version 8.8+. Organizations with stricter data and privacy policies can implement BYOK encryption for the Web Messaging and Mobile Messaging SDK connections in the Digital Messaging channel.
The BYOK encryption method for Digital Messaging provides end-to-end encryption that prevents Digital Messaging Service from accessing the chat message contents transmitted between a customer’s session and your Pega application. This works through a system of key pairs:
- Client Key Pair: You provide an asymmetric crypto key pair and store it on your Pega instance. This consists of a Public Client Key and Private Client Key, with the Private Client Key never leaving your Pega instance.
- Session Key Pair: Web Messaging and Mobile Messaging SDK generates an asymmetric crypto key pair for each chat session, consisting of a Public Session Key and Private Session Key. The Private Session Key never leaves the customer’s session.
- AES Message Key: Digital Messaging Service encrypts all messages with individual AES-GCM message keys, which are then encrypted with their respective public keys.
When implementing BYOK for Digital Messaging with Sales Automation, you would need to:
- Generate and install the Private Client Key and Public Client Key in your Digital Messaging channel interface
- Configure the BYOK encryption for Web Messaging and Mobile Messaging SDK channel connections
- For sessions using Private Data API, encrypt the private data using AES private data key before sending it to Digital Messaging Service
It’s worth noting that in earlier versions (such as 8.8.0), BYOK encryption did not apply to file attachments, transcript downloads, or conversation history. However, BYOK encryption for these features is supported starting from Pega Platform application version 24.1.3, 24.2.1, and later.
References:
- Data-at-rest encryption in Pega Cloud
- BYOK encryption for Digital Messaging
- BYOK encryption Private Data requirements
- Data encryption foundations
@MireilleDallaire please comment if required.