Bring Your Own Key (BYOK)

Bring Your Own Key (BYOK) lets your team encrypt the email and AI data Superhuman Mail stores in its AI memory layer with your own key — so you stay in control, with the ability to revoke access at any time.

About Bring Your Own Key

BYOK — also known as Customer-Managed Encryption Keys (CMEK) — uses an encryption key your team manages in Google Cloud Key Management Service (KMS) to protect the email content and AI-derived data Mail stores in Turbopuffer, our AI memory layer.

When BYOK is active:

  • Mail re-encrypts all of your team’s existing Turbopuffer data with your key.
  • Any new data written to Turbopuffer is encrypted with your key immediately.
  • You can revoke access to your data at any time by revoking or deleting the key in Google Cloud KMS.

💡 Tip: BYOK gives your team admin additional control over the AI data Mail has stored about your organization — without changing how your team sends and receives email day to day.

Plan availability

BYOK is only available on the Enterprise plan. If you don’t see the BYOK option on the Team Security page, click Contact Us to get in touch with our team about upgrading.

BYOK is configured and managed on Desktop. Key setup, status, and management are not yet available on Mobile.

What BYOK covers

BYOK applies to the data Mail stores in Turbopuffer for AI features such as Ask AI, Auto Label, Auto Draft, and Write With AI. This includes:

  • Email body, headers (From, To, Cc, Bcc, Subject, Date), attachment metadata, and links.
  • AI embeddings generated from your email content.

BYOK does not currently cover other Mail data stores, including transactional databases, logs, and other AI systems. Coverage is per organization, not per user.

Set up BYOK

Setting up BYOK is a guided process between your team and Mail. BYOK is not self-serve — the Mail engineering helps connect your key to your Mail contact validates and activates the key for you.

Here’s how it works:

  1. Your IT team creates a key in Google Cloud KMS for your organization. Today, Google Cloud is the only supported key management service.
  2. Copy the resource ID of your new key from Google Cloud.
  3. In Mail, go to Team Security → Contact Us, or reach out directly to your Customer Success Manager.
  4. Share your key’s resource ID with Mail.
  5. Mail validates the key, adds it to your Turbopuffer namespace, and triggers re-encryption of your existing data.
  6. Your team admin receives an email notification when the re-encryption job is complete.

💡 Tip: Re-encryption runs in the background and does not interrupt sending, receiving, or searching email.

See your key status

Once your key is active, you can see its status at any time:

  1. In Mail, go to Team Security.
  2. The BYOK section shows whether your key is active, revoked, or unconfigured.

If your team doesn’t have a key configured, the Security page shows a Contact Us button to get in touch with our team.

Rotate your key

You can rotate your key in Google Cloud KMS once every 90 days. Each rotation triggers a controlled re-encryption job in Turbopuffer using the new key version. Your team admin receives an email when the rotation is complete.

What happens if your key is revoked

If your key is revoked or deleted in Google Cloud KMS, Mail immediately loses access to the encrypted data in Turbopuffer.

While the key is unavailable:

  • AI features that rely on Turbopuffer pause for your team. This includes Ask AI, Write With AI for searches, Auto Draft, and Auto Label previews.
  • Core email continues to work normally — sending, receiving, calendar, and Auto Archive are unaffected.
  • Your team admin receives an email titled “Action Required: Superhuman Mail Cannot Access Your Encryption Key.”

To restore AI features, restore key access in Google Cloud KMS, then contact Mail support so we can re-validate the key and turn AI features back on.

Stop using BYOK

If your team decides to stop using BYOK, contact your Mail representative. We’ll re-encrypt your Turbopuffer data using Mail’s default encryption key, and your team will return to standard encryption.

FAQs

Is BYOK self-serve?

Not in the first release. Your team creates the key in Google Cloud KMS and shares the resource ID with Mail. A Mail team member configures and activates it for you. Self-serve setup is on our roadmap.

Can I use AWS KMS instead of Google Cloud KMS?

Not yet. Phase 1 supports Google Cloud KMS only. Support for AWS KMS is targeted for late 2026.

How often can I rotate my key?

Once every 90 days. Each rotation triggers a controlled re-encryption process for your team’s data in Turbopuffer.

Does BYOK cover every place Mail stores my data?

Not yet. BYOK currently protects data stored in Turbopuffer — Superhuman’s AI memory layer. It does not cover other Mail data stores, such as transactional databases, logs, or other AI systems. Expanding coverage is on our roadmap.

Can each user on my team have their own key?

Not in the first release. BYOK is configured at the organization level, so one key encrypts your entire team’s Turbopuffer data.

Can I manage BYOK from my phone?

No. BYOK status and setup are available only on Desktop.

What happens to the data already stored before I added a key?

When your key is added, Mail re-encrypts all existing Turbopuffer data for every member of your team with the new key. Your admin receives an email when the re-encryption is complete.

Was this article helpful?