CASE 108 · CALYPSO · 2025
Customer keys, in the customer’s custody.
A B2B SaaS company had been losing enterprise deals over a recurring objection: "we want our data encrypted with keys we control, not keys you control." We added BYOK support via AWS KMS External Key Store and unblocked $3.6M in pipeline.
B2B SaaS
SECURITY
2025
RESULTS
What changed, by the numbers.
PIPELINE UNBLOCKED
$3.6M
CUSTOMERS LIVE ON BYOK
6
KEY-USE AUDIT TRAIL
CRYPTO-VERIFIED
PERFORMANCE OVERHEAD
+8ms p95
HOW IT WENT
The objection had been recurring. Enterprises with strong key-custody requirements wanted to hold the master keys in their own HSMs, with the SaaS vendor able to use them only when the customer permitted. KMS Customer-Managed Keys hold the keys in AWS; only XKS holds them in the customer’s domain.
We integrated XKS via the customer’s on-prem (or cloud-of-their-choice) HSM through the XKS Proxy specification. The SaaS application uses standard KMS API calls; KMS routes the cryptographic operations to the customer’s HSM and never sees the key material itself.
Six enterprise customers live on BYOK in the first quarter post-launch, unblocking $3.6M in pipeline that had been stalled on this single requirement. Performance overhead at p95 is +8ms, well within the SaaS’s latency budget. The key-use audit trail is cryptographically verifiable on the customer side.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.