Nearly every cloud and on-premise enterprise information system encrypts data, and that's great, and some of these systems go as far as using separate keys for each document in their systems. But if the keys are shared between clients, or worse, across the whole platform, or if the per-document keys are decryptable by the provider at will, then the provider ultimately has access to that information, as might inquisitive employees, or any outsider who compromises their access controls.
Even the use of client-provided keys, hardware security modules (HSMs), or client-provided HSMs doesn't help if the provider's system can programmatically retrieve those keys at any time.
Oddly, that's not even the hard part. The encryption and key management itself is relatively straightforward, to the point of being quite elegant, as it's been encapsulated in a layer that other features build upon. We've built simple things like shared calendars, and bigger things like document review and a full workflow engine and it all benefits from the foundation of isolated encryption.
Consequences of encrypting data while not having custodianship of the keys
The hard part is that, with our approach, any processing that we need to apply to documents needs to happen in tightly locked-down execution contexts, using small and heavily audited fragments of code, in short and finite time windows before the relevant keys are thrown away.
That affects the way we write, review, test, and run our code - though only in a good way.
However, features that would normally be easy to build, like full-text indexing of document names and content, and even just sorting documents by name, are an order of magnitude harder to achieve.
Instead of being able to throw words into a standard search engine, which would ultimately store document contents on disk in a retrievable form, we index cryptographic hashes of words and phrases, and have built a complete proprietary search engine around it. Using full-disk or partition encryption is not enough, as that counts as a shared key that would violate the segmentation of data that we maintain.