Our database is by default encrypted at rest, but this does not mean it is safe against SQLI. This is where our service called Boxer comes in. It replaces the plaintext values of secure information with an encrypted version before being stored in the database and it decrypts the encrypted information when fetched from the database.
Boxer is implemented in such a way that allows only a single object owner to decrypt information from objects it owns. This is accomplished by storing a secret that is encrypted with KMS on each database object. Then, when we query our database - the secret is decrypted with our master key and we use this decrypted secret to encrypt/decrypt the sensitive information.
Manifold is dedicated to keeping the secrets we handle as secure as possible. If you have any questions/concerns please feel free to reach out to firstname.lastname@example.org.