Great question! We tokenize all secrets and then store the tokens in our database. The raw secrets are stored with our tokenization provider, VGS. When you fetch your secrets, either via our dashboard or CLI, we exchange the token for the raw secret value and then relay that value in our response. This ensures that our infrastructure never persists raw secret values. You can find more information about this process in our Security docs [0].
Thanks for the quick response. I think this should really be explicitly stated in the docs, along with a link to VGS. The diagram didn't make it obvious to me that the "security provider" block is actually storing the secrets, rather than just converting them into tokens.
[0] https://docs.doppler.com/docs/security-fact-sheet#data-flow-...