diff --git a/doc/administration/dedicated/create_instance.md b/doc/administration/dedicated/create_instance.md
index ea863ba3234d899caf844dce19a2385e5c2183e8..34d1918431c3013d654d182aa99a1534bc6837d9 100644
--- a/doc/administration/dedicated/create_instance.md
+++ b/doc/administration/dedicated/create_instance.md
@@ -37,10 +37,12 @@ complete your onboarding to create a new instance.
 ### Encrypted Data At Rest (BYOK)
 
 NOTE:
-To enable BYOK, you must do it before onboarding.
+To enable BYOK, you must do it before onboarding. If enabled, it is not possible to later disable BYOK.
 
 You can opt to encrypt your GitLab data at rest with AWS KMS keys, which must be made accessible to GitLab Dedicated infrastructure. Due to key rotation requirements, GitLab Dedicated only supports keys with AWS-managed key material (the [AWS_KMS](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin) origin type).
 
+Encryption for data in motion (moving over a network) is performed with TLS using keys generated and managed by GitLab Dedicated components, and is not covered by BYOK.
+
 In GitLab Dedicated, you can use KMS keys in two ways:
 
 - One KMS key for all services