Encryption & key management

Encryption isn’t a feature; it’s a default. Every byte of customer data is encrypted in transit and at rest, with key separation between tenants and a documented rotation policy.

In transit

TLS 1.3 mandatory at every public endpoint. TLS 1.2 accepted as a fallback only for legacy ACH partners; never on customer-facing surfaces.
HSTS with max-age=63072000; includeSubDomains; preload on every hosted surface (*.paylera.io).
Certificate transparency — certificates issued via AWS Certificate Manager, all logged to the public CT logs.
Strong ciphers only — TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256. No CBC, no RC4.

At rest

Data class	Encryption	Key
Database (Postgres)	AES-256-GCM via AWS RDS encryption	RDS-managed CMK, region-pinned.
Object storage (PDFs, exports)	AES-256-GCM via S3 SSE-KMS	Per-residency CMK.
Provider secrets (Stripe API keys, webhook signing secrets)	Envelope cipher (AES-256-GCM)	Per-tenant DEK wrapped by region KEK.
PII columns (email, address, name)	Envelope cipher (AES-256-GCM)	Per-tenant DEK wrapped by region KEK.
Backups	Same as source; RDS snapshots inherit encryption.	Same CMKs.

Envelope encryption

For provider secrets and PII columns, we use envelope encryption rather than relying solely on transparent disk encryption:

Plaintext      ─encrypt─►  Ciphertext
                   ▲
                   │ DEK (data encryption key)
                   │
                   │ wrapped by
                   ▼
                   KEK (key encryption key) — held in KMS, never on disk

The DEK is unique per tenant. The KEK is rotated on a schedule; rotation is online (no downtime) — the rewrap walker re-encrypts every wrapped DEK under the new KEK version, then retires the old.

Key rotation cadence

Key	Rotation cadence
Tenant DEKs	Every 365 days, or on demand.
KEK	Every 365 days; emergency rotation triggered by suspected compromise.
Webhook signing secrets	On demand (you trigger). Both old and new sign for 24 hours.
API tokens	On demand (you trigger). Old works for 24 hours.
TLS certificates	Every 90 days (ACM-managed).

What you control

API token rotation — POST /v1/admin/api-tokens/{id}/rotate.
Webhook secret rotation — POST /v1/admin/webhook-endpoints/{id}/rotate-secret.
Provider credential rotation — POST /v1/admin/payment-providers/{id}/rotate (AAL2).

Rotation is non-destructive: there’s a 24-hour grace window during which both old and new credentials work. Update your handlers, then let the old expire.

What you do not control

The tenant DEKs and the KEK. Paylera manages them.
The TLS certificates. ACM-managed, ACME-renewed.
The RDS CMK. Cloud-provider KMS-managed.

If you have a regulated requirement to hold your own keys (BYOK), reach out — it’s available on enterprise contracts but adds operational complexity that isn’t worth it for most tenants.

Auditability

Every key operation (encrypt, decrypt, rotate, retire) is logged to AWS CloudTrail with actor, key ID, and timestamp. The logs are ingested into our SIEM and held per the audit log retention policy.

For your tenant: any application-level access to encrypted data (e.g., an operator viewing a customer’s email) is recorded in the audit log accessible via GET /v1/admin/audit-log.

In-memory and key handling

Application services hold decrypted secrets and PII only for the duration of a single request. Secrets are zeroed on free where the runtime supports it. Heap dumps and core files are disabled in production.

Random number generation

All cryptographic randomness comes from getrandom(2) / BCryptGenRandom / equivalent kernel CSPRNGs. We do not use userspace PRNGs for any security-relevant decision (token generation, key derivation, signature nonces).

Open-source primitives

The cryptographic primitives are off-the-shelf:

TLS via the platform’s stack (OpenSSL / SChannel / Schannel).
AES-GCM via the platform’s libcrypto.
HMAC-SHA-256 via the platform’s libcrypto.

We don’t roll our own. The KMS interactions use the cloud provider’s SDK; the envelope cipher is a thin wrapper around aes-gcm.

Custom domains for hosted surfaces

To serve hosted checkout / customer portal under your own domain:

Add the domain on the dashboard at Settings → Branding → Custom domain.
Create a CNAME from checkout.yourapp.com → cname.paylera-edge.io.
We provision an ACM certificate, validated via DNS, and serve under your domain.

The customer’s TLS handshake terminates at the Paylera edge with a valid cert chain for your domain. We never see private keys you don’t hand us; we never hand you private keys you don’t manage.