Encryption

Bila employs industry-leading encryption technologies to protect your data and transactions. This guide provides detailed information about our encryption implementations, key management practices, and how we secure data throughout its lifecycle.

Encryption Overview

Bila Encryption Architecture

Our encryption strategy follows these core principles:

  • Defense in Depth: Multiple layers of encryption for comprehensive protection
  • Industry Standards: Using proven, standardized encryption algorithms
  • Key Rotation: Regular rotation of encryption keys
  • Secure Key Management: Hardware-based key storage and strict access controls
  • Zero Trust: Encrypting data even within our secure network boundaries

Data Encryption in Transit

All data transmitted to and from Bila systems is encrypted using secure protocols:

TLS Implementation

Bila requires TLS 1.2 or higher for all API connections and web traffic.

Our TLS configuration includes:

  • Minimum TLS Version: TLS 1.2 required, TLS 1.3 preferred
  • Strong Cipher Suites: Only high-security cipher suites are enabled
  • Perfect Forward Secrecy: Ensuring past communications remain secure
  • Certificate Management: Regular rotation and monitoring of TLS certificates
  • HSTS: HTTP Strict Transport Security enforcement

API Encryption

All API requests and responses are encrypted using TLS:

# Example of a secure API request with curl
curl -X POST https://api.usebila.com/v1/payments \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  --tlsv1.2 \
  -d '{"amount": 1000, "currency": "USD"}'

Bila will reject any API connections that attempt to use insecure protocols or weak cipher suites.

Data Encryption at Rest

All sensitive data stored in our systems is encrypted:

Database Encryption

  • Algorithm: AES-256-GCM for database field-level encryption
  • Key Management: Database encryption keys are managed in a hardware security module (HSM)
  • Implementation: Transparent data encryption at the database level plus application-level encryption for sensitive fields

File Storage Encryption

  • Algorithm: AES-256 for all file encryption
  • Key Management: Unique encryption keys for each file, with master keys stored in HSMs
  • Implementation: Server-side encryption with strict access controls

Backup Encryption

  • Algorithm: AES-256 for all backup data
  • Key Management: Separate encryption keys for backups, with secure key rotation
  • Implementation: All backups are encrypted before being stored

Tokenization

For highly sensitive data like payment card information, we use tokenization:

Tokenization Process

How Tokenization Works

  1. Sensitive data is received over an encrypted connection
  2. The data is immediately tokenized, generating a non-sensitive token
  3. The original data is encrypted and stored in a secure vault
  4. Only the token is stored in regular databases and logs
  5. The token can be used for future operations without exposing the original data

Tokenization vs. Encryption

Tokenization

  • Replaces sensitive data with a random token
  • No mathematical relationship to original data
  • Cannot be reversed without access to the token vault
  • Used for card numbers, bank accounts, etc.

Encryption

  • Transforms data using a mathematical algorithm
  • Can be reversed with the correct key
  • Strength depends on algorithm and key management
  • Used for general data protection

Key Management

Secure key management is critical to our encryption strategy:

Key Hierarchy

We implement a hierarchical key management system:

1

Root Keys

Master keys stored in FIPS 140-2 Level 3 HSMs

2

Key Encryption Keys (KEKs)

Used to encrypt data encryption keys

3

Data Encryption Keys (DEKs)

Used to encrypt actual data

4

Session Keys

Temporary keys used for specific operations

Key Rotation

We regularly rotate encryption keys to limit the impact of potential compromises:

  • Root Keys: Rotated annually
  • KEKs: Rotated quarterly
  • DEKs: Rotated monthly
  • Session Keys: New for each session

Access Controls

Access to encryption keys is strictly controlled:

  • Separation of Duties: No single employee has access to all components
  • Multi-Party Authorization: Critical key operations require multiple approvers
  • Audit Logging: All key access and operations are logged and monitored

Cryptographic Algorithms

Bila uses industry-standard, publicly vetted cryptographic algorithms:

PurposeAlgorithmKey LengthNotes
Symmetric EncryptionAES-GCM256-bitAuthenticated encryption with associated data (AEAD)
Asymmetric EncryptionRSA4096-bitUsed for key exchange
Asymmetric EncryptionECCP-256/P-384Used for digital signatures
HashingSHA-256/SHA-384N/AUsed for integrity verification
Key DerivationPBKDF2N/AWith high iteration count
Digital SignaturesECDSAP-256/P-384Used for API request signing

We do not use proprietary or custom encryption algorithms. All cryptographic implementations are based on industry standards and best practices.

End-to-End Encryption

For certain sensitive operations, we support end-to-end encryption:

Client-Side Encryption

For the highest level of security, you can implement client-side encryption:

// Example of client-side encryption using the Bila SDK
const bila = new Bila('YOUR_API_KEY');

// Generate a key pair for the client
const clientKeyPair = await bila.encryption.generateKeyPair();

// Encrypt sensitive data client-side
const encryptedData = await bila.encryption.encrypt(
  sensitiveData,
  clientKeyPair.publicKey
);

// Send only encrypted data to Bila
const response = await bila.api.sendEncryptedData({
  data: encryptedData,
  publicKey: clientKeyPair.publicKey
});

Encryption Compliance

Our encryption implementations comply with various regulatory requirements:

  • PCI DSS: Meets or exceeds all encryption requirements for payment data
  • GDPR: Implements appropriate technical measures for data protection
  • HIPAA: Complies with encryption requirements for protected health information
  • FIPS 140-2: Uses FIPS-validated cryptographic modules where required

Encryption Best Practices

When integrating with Bila, follow these encryption best practices:

  1. Always Use HTTPS: Ensure all connections to Bila API use HTTPS
  2. Validate Certificates: Implement proper certificate validation
  3. Keep Libraries Updated: Use up-to-date TLS libraries and security patches
  4. Secure Key Storage: Store API keys and encryption keys securely
  5. Implement Proper Key Rotation: Regularly rotate any encryption keys you manage

Security Overview

Learn about Bila’s security infrastructure and practices

Security Best Practices

Recommended security practices for integrating with Bila

Data Protection

How we protect your data and maintain privacy

API Authentication

How to securely authenticate with the Bila API