Entity Api
Versioned, Encrypted Storage for Any Object Model
Features
  • Per-Entity Encryption: Every entity is encrypted with a key supplied by the client on each request. The server stores only ciphertext and never retains the key between calls.
  • Client-Held Encryption Keys: The encryption key is provided per request and is never persisted server-side. A complete server compromise yields no key material.
  • Generic Object Storage: Any MessagePack-serializable object model can be stored. The type name is a consumer-defined string of up to 255 characters.
  • Automatic Versioning: Every update increments the version counter and archives the previous version automatically. No triggers or application-layer logic are required.
  • Full Change History: GetHistory returns all prior versions of an entity in chronological order, excluding the current version.
  • Soft Delete (Archive): SoftDelete moves an entity to a separate archive table. Archived entities remain queryable via GetArchived and are excluded from active queries.
  • Hard Delete (Purge): Purge removes the entity, its current version, and its entire history. No orphaned records remain after a purge.
  • Deserialized Access: Generic overloads such as GetEntityDeserializedAsync<T> return the deserialized object directly. MessagePack serialization is handled by the client library.
  • Envelope Encryption on All Requests: All sensitive parameters travel inside Protected<T> envelopes. Raw entity data and keys never appear in transit in plaintext.
  • Authorization-Enforced Access: Every request to the Entity Api is validated by the Application Api. A service must be registered and authorized before it can store or retrieve entities.
How It Compares
Beyond What Conventional Data Stores Offer
The Data Custody Problem, Solved
Cloud and framework-managed storage solutions store entity data the server can read. The Entity Api stores data the server cannot read without a key the client must supply on each request. A breach that extracts the entire Entity Api database extracts encrypted records and nothing actionable.
Capability
Entity Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Per-row client-held encryption
No server-side key access
Automatic version history
Soft delete / archive
Envelope encryption on all requests
Air-gappable
CLOUD Act exempt
✓¹
No third-party data custody
¹ EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.
Tech Sovereignty
Arch
Company
About Contact