You are here:
Field-Level Encryption in Marketing Cloud Engagement
To facilitate compliance with corporate privacy policies, regulatory requirements, and contractual obligations for handling private data, enable encryption at rest for the field-level data in your data extensions. When you enable this feature, you can still use encrypted data in your messages. Marketing Cloud Engagement decrypts encrypted fields at send time.
Considerations
Consider these factors when determining if field-level encryption is right for your org.
- Using field-level encryption requires purchasing Marketing Cloud Engagement Professional Services to configure the necessary changes to your account. For more information about enabling this feature in a new or existing account, contact your account executive or Partner Success Services.
- If you're enabling this feature in a new account, we recommend that you wait to configure the account or create business units until your Professional Services engagement is complete.
- To use field-level encryption, you must create and configure data extensions for use with this feature. For new accounts, configure your data extensions before you import customer data or set up data synchronization. If you enable field-level encryption in an account where it wasn’t previously enabled, you must re-create your data extensions. After that, you can delete the data extensions that don’t use field-level encryption.
- If you plan to synchronize data with Sales Cloud or Service Cloud, first complete your Professional Services engagement and create your data extensions. When the engagement is complete, you can set up the synchronization processes.
How It Works
Marketing Cloud Engagement encrypts sensitive data using a cryptographic symmetric key generated by using Encryption Key Management. When you use encryption keys, provide both a key value and an initialization vector (IV). With field-level encryption, you can also import encrypted data into Marketing Cloud Engagement. In this case, use Encryption Key Management to provide a key value and IV.
After you choose your encryption method, create data extensions in Contact Builder to contain the encrypted data. Data extensions can store encrypted text or email address data. You can’t select specific fields to encrypt when creating data extensions from Email Studio in Marketing Cloud Engagement. You can encrypt data using only data extensions created through Contact Builder.
You can’t share encrypted data or encryption keys across business units. We recommend that you create separate encryption keys for each business unit.
To enable support for field-level encryption in Journey Builder, turn on the Use email attribute from Contacts setting in Journey Builder settings. To use an email address from Contact Builder in an encrypted send, create a population to use as the basis for your audience. Journey Builder can’t use an email address from All Subscribers or from the entry event as part of a send using Field-Level Encryption.
- The Use email attribute from entry source option requires you to provide an unencrypted email field as the entry source.
- If you enable the Use email attribute from Contacts option, don’t use Email Addresses.Email Address as the value.
Salesforce events still function even if the contact doesn’t exist in Contact Builder.
- Importing Data When Field-Level Encryption is Enabled
Learn about the options for importing data into Marketing Cloud Engagement when Field-Level Encryption is enabled. - Exporting Data When Field-Level Encryption is Enabled
Review the methods for exporting data from a data extension when Field-Level Encryption is turned on in your Marketing Cloud Engagement account. - Encryption Configuration Options
Ensure that the data you bring into Marketing Cloud Engagement is encrypted by using a supported method of data ingestion. - Salesforce Shield and Field-Level Encryption Compatibility
Ensure that your field-level encrypted data in Marketing Cloud Engagement is compatible with Salesforce Shield, Sales Cloud, and Service Cloud. - Field-Level Encryption Limits
Learn about the limits apply to field-level encryption in the security and encryption components of Marketing Cloud Engagement. - Create Encryption Keys for Field-Level Encryption
Field-level encryption adds an extra layer of protection to the customer data in your data extensions. Using field-level encryption requires purchasing Marketing Cloud Engagement Professional Services to configure the necessary changes to your account. To use field-level encryption in your data extensions, complete these prerequisites. - Rotate a Key Encryption Key
Protect your customers by rotating the key encryption key (KEK) that’s used in the process of encrypting the data in your Marketing Cloud Engagement account. A KEK is an AES 256 cryptographic key that encrypts and decrypts other keys to provide those keys with an additional layer of protection. Work with your security and compliance teams to determine the appropriate rotation interval for your KEK. We recommend that you rotate the KEK at least one time per year. Repeat these steps at each rotation interval. - Frequently Asked Questions
Find answers to common questions about Field Level-Encryption in Marketing Cloud Engagement. - Encrypt Triggered Send Data from Sales Cloud and Service Cloud
Ensure that triggered sends from Sales Cloud or Service Cloud insert encrypted data into the All Subscriber List in Marketing Cloud Engagement.
