CRM Data Encryption: AES-256 and TLS Explained for Business Owners

Every CRM vendor claims their platform is "encrypted." It appears on security pages, in compliance documents, and in sales conversations as reassuring shorthand. But encryption is not a single thing — it is a family of techniques, and the difference between strong encryption and weak or partial encryption is the difference between customer data that is genuinely protected and data that merely appears to be. For an Australian business storing personal information under the Privacy Act, understanding CRM data encryption at a practical level is not optional — APP 11 requires "reasonable steps" to protect data, and the OAIC increasingly expects encryption to be part of those steps.

This guide explains the two encryption layers that matter for CRM data — encryption at rest and encryption in transit — in terms a business owner can act on. No mathematics, no cipher theory. Just what you need to know to verify that your CRM vendor's "encrypted" claim means something real.

Encryption at rest: protecting stored data

Encryption at rest protects data while it is stored — in databases, on disk, in backups. If someone gains physical access to the server hardware, or if a backup tape or disk image is stolen or improperly disposed of, encryption at rest means the data is unintelligible without the decryption key. Without it, a stolen hard drive contains your entire customer database in readable form.

AES-256: the standard you should expect

AES-256 (Advanced Encryption Standard with a 256-bit key) is the gold standard for symmetric encryption. It is used by governments, financial institutions and defence agencies worldwide. The "256" refers to the key length — the number of possible keys is 2^256, a number so large that brute-force attack is computationally infeasible with any foreseeable technology. When your CRM vendor says they use AES-256 encryption at rest, they are saying that your customer data is stored in a form that cannot be read without the specific encryption key.

However, "AES-256 encrypted" alone is not enough information. The critical follow-up questions are:

• What exactly is encrypted? Some platforms encrypt only the database but leave backups, logs, file attachments or cached data unencrypted. Full encryption at rest means every copy of your data — primary database, backups, logs, attachments — is encrypted.
• Who holds the encryption keys? If the vendor manages the keys, they have the technical ability to decrypt your data. If you manage the keys (customer-managed encryption keys, or CMEK), you control access at the cryptographic level. For maximum control, look for platforms that support CMEK or self-hosting where you own the entire key management chain.
• Are keys rotated? Key rotation — periodically generating new encryption keys and re-encrypting data — limits the window of exposure if a key is compromised. Good practice is automatic rotation on a defined schedule.

Encryption in transit: protecting data in motion

Encryption in transit protects data as it travels between your browser and the CRM server, between the CRM and integrated services, and between data centres. Without it, anyone with access to the network path — a compromised Wi-Fi network, an intercepted API call, a man-in-the-middle attack — can read the data as it passes.

TLS 1.2 and TLS 1.3: what to expect

TLS (Transport Layer Security) is the protocol that encrypts data in transit. The version matters:

• TLS 1.2 is the current minimum acceptable standard. It supports strong cipher suites and is widely deployed.
• TLS 1.3 is the latest version, with improved security (fewer legacy cipher suites, faster handshakes) and is increasingly becoming the expected standard.
• TLS 1.0 and 1.1 are deprecated and known to have vulnerabilities. If your CRM vendor still supports these versions, that is a red flag.

When your CRM uses TLS 1.2 or 1.3, the data travelling between your browser and the server is encrypted in a way that prevents eavesdropping. The padlock icon in your browser address bar indicates a TLS connection, but the version and cipher suite matter more than the icon alone.

What to check beyond the padlock

• Is TLS enforced, or optional? The CRM should enforce HTTPS for all connections. If HTTP (unencrypted) access is available at all, data can be intercepted when someone connects over an insecure link.
• Are API connections encrypted? If your CRM connects to integrations — email providers, accounting software, marketing tools — those API connections should also use TLS. An encrypted front door with unencrypted back-channel integrations is a false sense of security.
• Is internal traffic encrypted? Data moving between the CRM's own services — application servers, database servers, caching layers — should also be encrypted in transit. Some platforms encrypt the external connection but leave internal traffic unencrypted, which is vulnerable if the internal network is compromised.

The two layers together: defence in depth

Encryption at rest and encryption in transit address different threats, and you need both:

• At rest protects against: physical theft of hardware, improper disposal of storage media, unauthorised access to backups, insider threats with server access.
• In transit protects against: network eavesdropping, man-in-the-middle attacks, compromised Wi-Fi networks, intercepted API traffic.

A CRM with AES-256 at rest and TLS 1.2+ in transit covers both threat surfaces. Neither alone is sufficient. A platform that encrypts data at rest but transmits it unencrypted leaves it vulnerable in motion. A platform that encrypts transmission but stores data in plaintext leaves it vulnerable at rest. This "defence in depth" approach is precisely what the OAIC considers when assessing whether an organisation has taken "reasonable steps" under APP 11.

What encryption does not protect against

Encryption is essential but not a complete security solution. It does not protect against:

• Compromised credentials. If someone obtains a valid login, they access the data through the normal decryption path. Encryption does not help if the front door is open. This is why MFA and role-based access controls are equally important.
• Authorised but inappropriate access. A user with legitimate CRM access who exports data they should not have accessed has bypassed encryption entirely. Granular permissions and audit logging are the controls here.
• Vendor access. Unless you manage the encryption keys yourself, the vendor can technically decrypt your data. For maximum assurance, self-hosting with your own key management eliminates this dependency.

Fulcrum CRM implements AES-256 encryption at rest and TLS 1.2+ encryption in transit as standard. Combined with role-based access controls, comprehensive audit logging, and Australian data hosting, the encryption layer is part of a defence-in-depth approach rather than a standalone feature. For the broader security picture — access controls, audit logging, breach readiness — see our CRM security and data protection guide.

The encryption checklist for CRM evaluation

When evaluating any CRM platform, ask these specific questions:

• What encryption standard is used at rest? (Expect AES-256 minimum.)
• What is encrypted at rest — database only, or backups, logs and attachments too?
• Who manages the encryption keys — the vendor, or the customer?
• Are keys rotated automatically, and on what schedule?
• What TLS version is supported? (Expect TLS 1.2 minimum, TLS 1.3 preferred.)
• Is HTTPS enforced for all connections, with no HTTP fallback?
• Are API integrations and internal service-to-service traffic also encrypted in transit?

If your vendor cannot answer these questions specifically, their "encrypted" claim is marketing rather than a verifiable security control. For Australian businesses, encryption is not optional — it is part of the "reasonable steps" the Privacy Act demands. Understanding what your CRM actually implements is the first step toward a defensible security posture. For more on how these requirements fit into the broader CRM selection decision, see our guide on what a CRM is and why your business needs one in 2026, and compare platforms on our comparison page.