# Enterprise Controlled Encryption

Enterprise Controlled Encryption (ECE) provides the highest level of data security by allowing your organization to manage its own encryption keys. With ECE enabled, only your organization can decrypt your data—Verkada cannot access it.

{% hint style="warning" %}
ECE requires OIDC-based SSO with Google Workspace, Microsoft Entra ID, or Okta. SAML-only providers are not supported.
{% endhint %}

***

## How ECE works

ECE uses your identity provider to generate and manage encryption keys. When enabled:

* All data at rest is encrypted with keys derived from your IdP
* Verkada cannot decrypt your data without your IdP's authorization
* Losing access to your IdP means losing access to your encrypted data

***

## Setup and recovery

{% content-ref url="enterprise-controlled-encryption/enable-enterprise-controlled-encryption" %}
[enable-enterprise-controlled-encryption](https://help.verkada.com/command/security/enterprise-controlled-encryption/enable-enterprise-controlled-encryption)
{% endcontent-ref %}

{% content-ref url="enterprise-controlled-encryption/ece-account-recovery" %}
[ece-account-recovery](https://help.verkada.com/command/security/enterprise-controlled-encryption/ece-account-recovery)
{% endcontent-ref %}