Data Encryption
Pelago's encryption standards for protecting sensitive data.
Encryption Standards
| Layer | Standard | Purpose |
|---|---|---|
| Transport | TLS 1.3 | Data in transit |
| Storage | AES-256-GCM | Data at rest |
| Keys | HSM | Key management |
Transport Security
All API communication uses TLS 1.3:
# Verify TLS
curl -v https://api.pelago.tech/v1/health 2>&1 | grep "SSL connection"
# SSL connection using TLSv1.3
Data at Rest
Sensitive data is encrypted using AES-256-GCM:
Key Management
- Keys stored in Hardware Security Modules (HSM)
- Automatic key rotation every 90 days
- Separate keys per merchant
Client-Side Encryption
For extra security, encrypt sensitive metadata:
import crypto from 'crypto';
function encryptMetadata(data: object, key: string): string {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'base64');
encrypted += cipher.final('base64');
return JSON.stringify({
iv: iv.toString('base64'),
data: encrypted,
tag: cipher.getAuthTag().toString('base64')
});
}