ProVault Solutions — Enterprise Encryption Platform

🛡

PROVAULT

Enterprise Encryption Platform

V1.0 ⬡ CONFIDENTIAL

Color Scheme

Title Font

Logo Icon

Side Lines

Flow animation

NCS-Compliant · Zero-Knowledge · Multi-Vault · Patent-Safe

Enterprise File Encryption

Orchestration Platform

A compliance-first cryptographic engine for regulated enterprises — designed for Saudi Arabia's NCA National Cryptographic Standards.

👤 Syedyasiraswath ASKAR BASHA

ProVault Solutions — Technical Brief v1.0 Architecture · Patent Analysis · NCS Compliance · Mentor Questions · MVP Roadmap

Core Concept — What ProVault Solves

Every regulated enterprise today uses a key vault — HashiCorp Vault, AWS KMS, or Azure Key Vault. These systems manage keys well, but they do not enforce how files are encrypted, how metadata is isolated, or how compliance is proven at audit time.

ProVault is a file-level encryption orchestration layer that sits above existing key management infrastructure. It integrates with your existing vault and adds what is missing: structured file chunking, envelope encryption, metadata isolation across separate vaults, zero-downtime key rotation, and native NCS-1:2020 enforcement.

One Core Engine. Four Deployment Surfaces. Zero duplicated cryptographic logic. Identical guarantees whether deployed as JAR, microservice, SDK, or storage plugin.

How It Works — 8 Core Steps

Encryption Path

Step 1 — File Ingestion: Application submits any file type via REST or SDK. A transit proxy optionally intercepts transparently.
Step 2 — Chunking: File split into 4–64 MB fixed-size blocks. Each chunk receives UUID and positional index.
Step 3 — Integrity Hashing: SHA-256 hash computed per chunk before encryption. Stored in Metadata Vault.
Step 4 — Envelope Encryption: Unique DEK generated per file. Each chunk encrypted with AES-256-GCM + unique IV. DEK wrapped by KEK.
Step 5 — Key Wrapping: Wrapped DEK stored in Key Vault. Plaintext DEK destroyed immediately.
Step 6 — Metadata Isolation: Metadata Vault receives chunk map, vault routing, key version, algorithm IDs — all encrypted independently.
Step 7 — Distributed Storage: Encrypted chunks written to S3-compatible, Azure Blob, GCP, relational BLOB, MongoDB, or custom adapter.
Step 8 — Audit Log: Every operation immutably logged with timestamps, identity, and cryptographic proof for NCS compliance reporting.

Patent Analysis & Differentiation

Patent	Core Claim	ProVault Differentiation
US10,146,962 IBM	Re-encrypting ciphertext on key rotation	DEK-wrapper-only rotation — ciphertext never rewritten
US9,537,651 Microsoft	DEK stored co-located with encrypted file	DEK stored exclusively in isolated Key Vault
US10,904,234 Amazon	Key replication across regions	Chunk distribution across vaults, not key replication
EP3,264,713 Thales	HSM integration for financial encryption	Pluggable KeyProvider — HSM-agnostic, NCS-parameterizable
US10,367,637 Google	Shard encryption with independent keys per shard	Single DEK + metadata isolation vault (absent from claims)

ProVault's patentable novelty: DEK-wrapper-only rotation + 3-vault isolation + multi-vault chunk distribution + NCS-parameterizable compliance in a single engine.

Saudi NCA NCS-1:2020 Compliance

AES-256, RSA-4096, ECC BrainpoolP384r1, SHA-256/SHA-3 — hard-enforced; deviations rejected and logged
Automatic enforcement of NCS classification-based key rotation timelines
TLS enforced on every file transfer by Transit Proxy
Immutable logs covering full lifecycle — exportable for NCS inspection
Three-vault architecture architecturally enforces NCS custodian separation

Mentor Discussion Questions

Strategic

Which NCS category do initial targets require — and does MVP cover it fully?

Is differentiation from HashiCorp/AWS clear enough for a Saudi CISO?

Realistic procurement cycle at Saudi Tier-1 bank — direct sales, SI partnerships, or cloud marketplace?

Technical

DEK-wrapper-only rotation — mathematically equivalent to full re-encryption under our threat model?

Minimum vault compromises needed to reconstruct any file in multi-vault distribution?

Latency overhead for 100 MB file vs direct S3 upload?

IP & Legal

Provisional patent (SAIP) before external demos — cost and timeline?

Three-vault isolation documented sufficiently for prior art against competing filings?

MVP Roadmap

Phase 1 — Core Engine (Months 1–4)

Core encryption engine — AES-256-GCM + envelope model
Single vault integration — HashiCorp Vault
Metadata vault isolation, DEK-wrapper-only rotation
Spring Boot JAR starter + NCS-1:2020 Advanced enforcement

Phase 2 — Enterprise Wrapper (Months 5–8)

Standalone microservice (REST + gRPC) + Docker/OCI
NCS compliance dashboard with audit export
Multi-vault chunk distribution · AWS KMS + Azure Key Vault integration

Phase 3 — Ecosystem (Months 9–14)

Plugin ecosystem: S3 interceptor, JDBC BLOB, Kafka interceptor
Advanced policy engine · Multi-language SDK (Python, Node.js)
NCA certification preparation package

Speed1×

Encryption — 8-Step Flow

Live Operation Log

Architecture Layers

L1Client

🖥

Application

REST / SDK

→

📦

JAR / SDK

Spring Boot

↔

⚙

Microservice

REST / gRPC

↓ file intercepted before storage

L2Intercept

🔀

Transit Proxy

TLS enforced

→

✂

Chunk Engine

4–64 MB splits

→

🔍

SHA-256 Hash

Pre-encryption

↓ chunks encrypted; DEK wrapped with KEK

L3Encrypt

🔐

AES-256-GCM

Per-chunk AEAD

→

🗝

DEK / KEK

Envelope model

→

🔑

ECC / RSA

NCS Advanced

↓ dispatched to isolated vaults

L4Vaults

🏛

Data Vault

Encrypted chunks

📋

Metadata Vault

Chunk map · Isolated

🛡

Key Vault

Zero-knowledge · BYOK

↓ vaults connect to pluggable storage

L5Storage

☁

Cloud Object

S3 · Azure · GCS

🗄

Relational DB

PostgreSQL · Oracle

🍃

NoSQL

MongoDB · Cassandra

🔌

Custom

Pluggable

Decryption — 8-Step Reverse

Live Operation Log

Decryption Layers

D1Auth

🖥

Auth Request

Identity verified

→

🪪

Auth Gateway

JWT / mTLS · RBAC

→

⚙

Decrypt Svc

JAR / Microservice

↓ metadata retrieved

D2Metadata

📋

Metadata Query

Chunk map

→

🗺

Vault Router

Parallel fetch plan

↓ DEK unwrapped

D3Key

🛡

Key Vault

DEK unwrap

→

🗝

DEK In-Memory

Never persisted

↓ decrypt + verify

D4Decrypt

⬇

Parallel Fetch

Multi-vault

→

🔓

AES Decrypt

AEAD per chunk

→

✅

Hash Verify

Tamper detection

→

🔧

Reassemble

Restored

↓ audit + deliver

D5Audit

📝

Audit Log

Immutable · NCS

→

📄

Plaintext Out

Authorized caller

NCS Enforced

AES-256-GCMRSA-4096ECC Brainpool P384SHA-256 / SHA-3TLS TransitZero-Knowledge VaultBYOKNCS-1:2020 AdvancedImmutable Audit

⬡ Key Management

HashiCorp Vault — primary

AWS KMS — cloud-native

Azure Key Vault — hybrid

On-prem HSM — future

▸ Deployment Modes

Spring Boot JAR starter

Standalone microservice

Java SDK

Plugin layer (S3/JDBC/Kafka)

◆ Differentiators

Zero-downtime key rotation

3-vault isolation (patent novel)

Multi-vault chunk distribution

NCS-1:2020 native enforcement

Speed 1.0×

Click Start to walk through the full encryption data flow

L1 · CLIENT & DEPLOYMENT SURFACES

🖥

Application

REST / SDK — any language

📤 Submitting file via REST…

📦

JAR / SDK

Spring Boot — zero network hop

🔗 JAR intercepting request…

⚙

Microservice

REST / gRPC — Dockerized

🐳 gRPC routing…

🔌

Plugin Layer

S3 / JDBC / Kafka

⚡ Intercepting stream…

↓ File intercepted before reaching storage

L2 · FILE INTERCEPTION & PREPARATION

🔀

Transit Proxy

TLS enforced — transparent

🛡 TLS handshake active…

✂

Chunk Engine

4–64 MB fixed-size blocks

✂ Splitting 4MB blocks…

🔍

SHA-256 Hasher

Pre-encryption integrity

🔢 Hashing chunk data…

↓ Chunks encrypted; DEK wrapped with KEK

L3 · CORE ENCRYPTION ENGINE

🔐

AES-256-GCM

AEAD · Unique IV per chunk

🔐 Encrypting chunk…

🗝

DEK / KEK

Envelope encryption model

🔑 Wrapping DEK with KEK…

📊

NCS Enforcer

Policy · Compliance · Audit

⚖ Validating NCS policy…

↓ Encrypted data dispatched to three isolated vaults

L4 · THREE-VAULT ISOLATION ARCHITECTURE ★ PATENT-NOVEL

🏛

Data Vault

Encrypted chunks only. Multi-vault distribution optional.

📦 Writing encrypted chunks…

📋

Metadata Vault

Chunk map · Key version · Encrypted independently.

🗺 Writing isolated map…

🛡

Key Vault

Encrypted DEKs only. Zero-knowledge. BYOK.

🔒 Sealing encrypted DEK…

⬡ No single vault can reconstruct the file — all three must be compromised simultaneously

↓ Vaults connect to pluggable storage backends

L5 · PLUGGABLE STORAGE BACKENDS

☁

Cloud Object

AWS S3 · Azure Blob · GCS

☁ Uploading to S3…

🗄

Relational DB

PostgreSQL · Oracle · MySQL

🗄 Writing BLOB column…

🍃

MongoDB / NoSQL

GridFS · Cassandra

🍃 GridFS chunk write…

🔌

Custom Adapter

Pluggable interface

🔌 Routing to adapter…

🇸🇦

NCA NCS-1:2020 Compliance

AES-256 · RSA-4096 · ECC P384

Algorithm enforcement — hard-reject

Key rotation timelines enforced

SHA-256/3 · TLS on all transit

Separation of duties architecturally

⚖ Validating algorithm compliance…

🔑

Key Management Providers

HashiCorp Vault — primary

AWS KMS — cloud-native

Azure Key Vault — hybrid

On-prem HSM — air-gapped option

Pluggable KeyProvider interface

🔑 Fetching KEK from provider…

📝

Immutable Audit Log

Identity · Timestamp · File ID

NCS export-ready format

Cryptographic tamper-proof chain

📝 Writing audit record…

⬡

Separation of Duties

Data Custodian ≠ Key Custodian

Metadata Admin ≠ Either role

Architecturally enforced via 3-vault

💰 Investment Required

🛠

Phase 1 — Core Build

Lead Engineer (6 months)SAR 90,000

Junior Engineer (6 months)SAR 42,000

Cloud infra / CI-CD setupSAR 8,000

Tooling & licensesSAR 5,000

Phase 1 TotalSAR 145,000

🏗

Phase 2 — Enterprise

2 Engineers (8 months)SAR 144,000

Security architect (consulting)SAR 30,000

NCS pre-audit assessmentSAR 25,000

Sales & legal setupSAR 20,000

Phase 2 TotalSAR 219,000

🌐

Phase 3 — Ecosystem

3 Engineers (6 months)SAR 162,000

NCA certification filing (SAIP)SAR 15,000

Marketing & brandSAR 30,000

Partner channel setupSAR 18,000

Phase 3 TotalSAR 225,000

📜 Saudi Patent Filing Budget

📋

SAIP Patent Application

SAIP filing fee (invention)SAR 2,500–4,000

Patent agent / attorneySAR 15,000–25,000

Translation (Arabic+English)SAR 3,000–5,000

Prior art search & draftingSAR 8,000–12,000

SAIP Total (per patent)SAR 28K–46K

🌍

PCT International Filing

PCT application fee (WIPO)~SAR 8,000

National phase (5 regions)SAR 30,000–60,000

International attorney feesSAR 20,000–40,000

Annual maintenance (5yr)SAR 5,000–8,000

PCT TotalSAR 63K–116K

🔑

ProVault Patent Strategy

3-Vault Isolation ArchitectureNOVEL

Zero-Knowledge DEK ModelFILE SA+PCT

Multi-Vault Chunk DistributionNOVEL

Total Patent BudgetSAR 91K–162K

Total Investment Summary

SAR 589K

Total 14-month investment

SAR 60K+

Annual per enterprise license

10 clients

Break-even in Year 2

3–5×

ROI by Year 3

💵 Pricing Model

🏦

Enterprise License

Annual SaaS licenseSAR 60–120K / yr

On-prem perpetualSAR 200–350K

NCS compliance add-onSAR 15K / yr

Audit export moduleSAR 10K / yr

HIGH MARGIN

🤝

SI / Partner Channel

Systems integrator margin20–30%

OEM white-label to telcosSAR 500K+ deal

Gov framework contractSAR 1M+ / contract

SCALABLE

☁

Usage-Based SaaS

Per GB encryptedSAR 0.12 / GB

API callsSAR 0.002 / call

Key rotation eventsSAR 2 / event

VOLUME UPSIDE

⚠

Budget & Pricing Disclaimer — Approximate Estimates All figures are indicative estimates based on Saudi Arabia market rates (Q1 2025). Actual costs may vary by ±25–40%. For planning and fundraising discussion only.

🎯 Target Markets & Users

🏦

Saudi Banks & Financial Institutions

SAMA-regulated entities mandated for NCS compliance. SAIB, Al Rajhi, Riyad Bank, NCB. High value, long procurement cycle.

🏥

Healthcare & Health IT

Seha, Ministry of Health. Patient records, imaging, lab data. NHIC compliance alignment.

🛢

Energy & Utilities

Saudi Aramco, NEOM, ACWA Power. Industrial OT data + enterprise documents. Critical infrastructure.

🏛

Government & Defense

NCA directly mandates NCS compliance. Multi-year contracts via Etimad portal.

📡

Telecom & ISPs

STC, Mobily, Zain. Customer data, call records, billing. CITC-regulated. High SaaS volume.

🧬

RegTech & Fintech

Lean, Hala, Tamara, Stcpay. NCS-compliant encryption without building in-house. Ideal SDK/API customers.

⚖

Legal & Professional Services

Law firms, audit firms, consulting. Confidential client documents. NCA guidelines expanding.

🎓

Universities & Research

KAUST, KFUPM, KACST. Research data, IP protection, grant-funded compliance requirements.

📈

Expected Returns — 5 Year Projection

Based on SAR 589K seed investment · Conservative estimates · Vision 2030 tailwind

SAR 0–300K

Pilots & POCs

SAR 600K–1.2M

Break-even

SAR 2M–4M

3–5× ROI

SAR 6M–10M

GCC Expansion

SAR 15M–25M

IPO-Ready

🏆 Overall Returns Summary

💼

SAR 589K

Total Seed Investment

14-month runway

⚖

Year 2

Break-Even Point

~10 enterprise clients

📈

3–5×

ROI by Year 3

SAR 1.8M–2.9M return

🚀

SAR 25M+

Year 5 Revenue Target

3.1% TAM capture

🏛

SAR 800M

Total Addressable Market

5-year NCS mandate horizon