We use the Windows Data Protection APIs to encrypt data. The data is encrypted against the service account user of the Certify service, which by default is Local System.
Running the service as a different user is not officially supported (currently). If you change the Certify service to run as a different user you must also set this back this after every update (as the installer will reset the service user to Local System). One windows user cannot decrypt the data for another windows user.
In addition certain changes to windows (resetting data protection keys or forcefully resetting the service users password) with prevent information being decrypted. This will affect stored credentials and the ACME account details (Let’s Encrypt etc).