Yes, despite its name, the CKS does not prevent keys from hitting Virtru’s servers. However, all of the keys that hit Virtru’s servers are encrypted, and the keys used to encrypt are hosted exclusively by the customer.
Specifically, the message key that is generated on the Virtru sender’s client – and typically sent to Virtru’s servers as plaintext – is encrypted on the sender’s client before it reaches Virtru’s servers. This message key then travels to the CKS, where it is decrypted and then re-encrypted with a different key. The newly encrypted message key travels back through Virtru’s servers to the receiving email client, where it is finally decrypted and used to decode the original message.