Data Encryption
How we protect your data with industry-leading encryption
Encryption is the cornerstone of our security architecture. We employ multiple layers of encryption to ensure that your data remains protected whether it is being transmitted across the internet, stored in our databases, or backed up for disaster recovery. Our encryption standards meet or exceed the requirements of major compliance frameworks including GDPR, SOC 2, and HIPAA.
Encryption Methods
Data in Transit
All data transmitted between clients and servers is encrypted using TLS 1.3, the latest and most secure transport layer protocol.
- TLS 1.3 for all API communications
- Perfect Forward Secrecy (PFS) enabled
- Strong cipher suites only (AES-256-GCM)
- HSTS headers with preloading
- Certificate pinning for mobile apps
Data at Rest
All stored data is encrypted using AES-256 encryption, the industry standard for sensitive data protection.
- AES-256 encryption for all databases
- Encrypted file storage (S3/GCS)
- Encrypted backups with separate keys
- Hardware Security Modules (HSM) for key storage
- Regular key rotation schedules
Application-Level Encryption
Sensitive fields are additionally encrypted at the application level before being stored in the database.
- Field-level encryption for PII
- Encrypted API tokens and secrets
- Hashed passwords with bcrypt (cost factor 12)
- Encrypted session tokens
- Secure random number generation
Cryptographic Protocols
Industry-standard algorithms and protocols we use
| Protocol | Purpose | Status |
|---|---|---|
TLS 1.3 | Transport encryption | Active |
AES-256-GCM | Data encryption | Active |
RSA-4096 | Key exchange | Active |
SHA-256 | Hashing | Active |
bcrypt | Password hashing | Active |
Ed25519 | Digital signatures | Active |
Key Management
Key Generation
Cryptographic keys are generated using cryptographically secure random number generators (CSPRNG).
Key Storage
Master keys are stored in Hardware Security Modules (HSM). Application keys are stored encrypted and access-controlled.
Key Rotation
Encryption keys are rotated regularly. Data encryption keys are rotated every 90 days; master keys annually.
Key Access
Access to encryption keys is strictly limited and monitored. All key access is logged and auditable.
Technical Implementation Details
Database Encryption: We use PostgreSQL with Transparent Data Encryption (TDE). Each database instance has a unique data encryption key (DEK) that is encrypted with a key encryption key (KEK) stored in our HSM.
API Communication: All API endpoints require HTTPS. We use TLS 1.3 exclusively with modern cipher suites. Certificate transparency is enabled for all our certificates.
Token Security: JWT tokens are signed using RS256 (RSA with SHA-256). Refresh tokens are additionally encrypted and stored hashed in the database. Token rotation happens automatically on security-sensitive operations.
Webhook Security: All outgoing webhooks are signed using HMAC-SHA256. Incoming webhook endpoints validate signatures before processing any data.