A database system comprising a database having a dynamic schema and comprising a plurality of data storage nodes; and at least one processor configured to, using an encryption process: manage access to plaintext data stored in the plurality of data storage nodes by users employing at least one client-controlled resource in a client access layer; restrict access to the plaintext data by other users, wherein the other users include users with system administration privileges for the database and administrators of processing resources hosting the database; and manage access to encrypted copies of the plaintext data by the users with system administration privileges for the database such that the system administration privileges do not enable access to plaintext versions of the encrypted copies. A method for managing data security for a database. A database system with a dynamic schema architecture, a client access layer, and an operational database layer.