Our database servers encrypt Account Information using the standard AES 256bit encryption. We generate a multi-part encryption key, one for you, one for us, and one that we store on your behalf in a separate network.The encrypted information needs all of the three keys simultaneously in order to be decrypted. The encryption keys are rotated and our segments of the key are managed in a network separated from the database and application servers. All the application secrets and keys are stored in a fault-tolerant key management cluster with limited access. The master key is kept in an air-gapped, secure vault to ensure a maximum level of security.
All data served over our REST API uses HTTPS. We regularly audit our security setup to ensure that the certificates we serve are up to date. We force HTTPS for all connections to our API server to ensure that the information is always encrypted during the transport from our server to the Provider's App. We encourage Providers to use the same methods to ensure that the information is encrypted all the way to you as the End-User.
We log all API calls and track the interactions with TrueLayer API for later review.