Security Model

Pelago's comprehensive security architecture protecting payments, identities, and data.

Security Overview

API Security

Authentication

All API requests require authentication via API keys:

# API Key in header
curl -X POST https://api.pelago.tech/v1/payments \
  -H "Authorization: Bearer pk_live_xxxxx" \
  -H "X-Api-Secret: sk_live_xxxxx"

Request Signing

For sensitive operations, requests are signed:

import crypto from 'crypto';

function signRequest(
  method: string,
  path: string,
  body: object,
  secret: string
): string {
  const timestamp = Date.now().toString();
  const payload = `${timestamp}.${method}.${path}.${JSON.stringify(body)}`;
  
  return crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
}

// Include signature in headers
const signature = signRequest('POST', '/v1/payments', body, apiSecret);
headers['X-Pelago-Signature'] = signature;
headers['X-Pelago-Timestamp'] = timestamp;

Rate Limiting

Plan	Requests/min	Burst
Sandbox	100	20
Starter	500	100
Business	2000	500
Enterprise	Custom	Custom

Zero-Knowledge Proofs

Privacy-Preserving Verification

ZKP allows proving facts without revealing underlying data:

Supported Proof Types

Proof	Proves	Hides
Balance Range	Has sufficient funds	Exact balance
Age Threshold	Over 18/21	Birthdate
KYC Status	Is verified	Personal details
Credit Score	Score > X	Exact score

Implementation Example

// Create a ZKP for balance verification
const proof = await pelago.zkp.createProof({
  type: 'balance-threshold',
  threshold: 100.00,
  currency: 'USDC',
  walletAddress: 'GXXXXX...'
});

// Verify the proof
const isValid = await pelago.zkp.verifyProof(proof);
console.log('Proof valid:', isValid); // true

Data Encryption

At Rest

AES-256-GCM encryption for stored data
Key management via HSM
Regular key rotation (90 days)

In Transit

TLS 1.3 for all connections
Certificate pinning for mobile SDKs
HSTS with long max-age

Sensitive Data Handling

Smart Contract Security

Audit Reports

Auditor	Date	Scope	Status
Trail of Bits	2024-Q4	Core contracts	✓ Passed
Certik	2024-Q3	PLP contracts	✓ Passed
OpenZeppelin	2024-Q2	Full audit	✓ Passed

Multi-Signature Controls

Critical operations require multiple signatures:

Operation	Required Sigs	Timelock
Contract upgrade	4/7	48 hours
Emergency pause	2/7	Immediate
Fee changes	3/7	24 hours
Wallet changes	5/7	72 hours

Circuit Breakers

Automatic protection mechanisms:

// Simplified circuit breaker
contract PaymentContract {
    uint256 public dailyLimit = 1_000_000e6; // $1M USDC
    uint256 public dailyVolume;
    uint256 public lastResetDay;
    
    modifier withinLimits(uint256 amount) {
        if (block.timestamp / 1 days > lastResetDay) {
            dailyVolume = 0;
            lastResetDay = block.timestamp / 1 days;
        }
        require(dailyVolume + amount <= dailyLimit, "Daily limit exceeded");
        dailyVolume += amount;
        _;
    }
}

Webhook Security

Signature Verification

Always verify webhook signatures:

import crypto from 'crypto';

function verifyWebhook(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
    
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-pelago-signature'];
  const isValid = verifyWebhook(
    JSON.stringify(req.body),
    signature,
    process.env.WEBHOOK_SECRET
  );
  
  if (!isValid) {
    return res.status(401).send('Invalid signature');
  }
  
  // Process webhook...
});

Webhook IP Allowlist

Pelago webhooks originate from:

34.102.xxx.xxx/24
35.190.xxx.xxx/24

Compliance

Standards

Standard	Status
SOC 2 Type II	Certified
GDPR	Compliant
PCI DSS	Level 1
CCPA	Compliant

Data Residency

EU data stored in EU regions
US data stored in US regions
Custom configurations for enterprise

Incident Response

Response Timeline

Severity	Response Time	Resolution Target
Critical	15 minutes	4 hours
High	1 hour	24 hours
Medium	4 hours	72 hours
Low	24 hours	1 week

Bug Bounty Program

Severity	Reward
Critical	Up to $500,000
High	Up to $100,000
Medium	Up to $25,000
Low	Up to $5,000

Report vulnerabilities: security@pelago.tech

Best Practices

Rotate API keys regularly (every 90 days)
Use separate keys for sandbox and production
Verify webhooks on every request
Monitor logs for suspicious activity
Limit permissions to minimum required

Security Overview​

API Security​

Authentication​

Request Signing​

Rate Limiting​

Zero-Knowledge Proofs​

Privacy-Preserving Verification​

Supported Proof Types​

Implementation Example​

Data Encryption​

At Rest​

In Transit​

Sensitive Data Handling​

Smart Contract Security​

Audit Reports​

Multi-Signature Controls​

Circuit Breakers​

Webhook Security​

Signature Verification​

Webhook IP Allowlist​

Compliance​

Standards​

Data Residency​

Incident Response​

Response Timeline​

Bug Bounty Program​

Best Practices​

Next Steps​