Yes, despite its name, the CKS does not prevent keys from hitting Virtru’s servers. However, all of the keys that hit Virtru’s servers are encrypted, and the keys used to encrypt are hosted exclusively by the customer.
Specifically, the access control key that is generated on the Virtru sender’s client and typically sent to Virtru’s servers as plaintext. When a CKS is enabled the access control key is encrypted on the sender’s client before it reaches Virtru’s servers for storage until requested by a recipient. This message key then travels to the CKS, where it is decrypted and then re-encrypted with a different key. The newly encrypted access control key travels back through Virtru’s servers to the receiving email client, where it is finally decrypted and used to decrypt the original message.