# Enterprise Controlled Encryption

Enterprise Controlled Encryption (ECE) provides the highest level of data security by allowing your organization to manage its own encryption keys. With ECE enabled, only your organization can decrypt your data—Verkada cannot access it.

{% hint style="warning" %}
ECE requires OIDC-based SSO with Google Workspace, Microsoft Entra ID, or Okta. SAML-only providers are not supported.
{% endhint %}

***

## How ECE works

ECE uses your identity provider to generate and manage encryption keys. When enabled:

* All data at rest is encrypted with keys derived from your IdP
* Verkada cannot decrypt your data without your IdP's authorization
* Losing access to your IdP means losing access to your encrypted data

***

## Setup and recovery

{% content-ref url="/pages/sqdqy4fJFDe0NUIV1iiG" %}
[Enable Enterprise Controlled Encryption](/command/security/enterprise-controlled-encryption/enable-enterprise-controlled-encryption.md)
{% endcontent-ref %}

{% content-ref url="/pages/umUW5ykuZAchQIipp6m7" %}
[Enterprise Controlled Encryption Account Recovery](/command/security/enterprise-controlled-encryption/ece-account-recovery.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.verkada.com/command/security/enterprise-controlled-encryption.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.