Your data.
Our vault.
tPay365 doesn't just encrypt your data — it architecturally prevents any single system from assembling your complete identity. Security isn't a feature we added. It's the foundation everything else is built on.
- HMAC hashes
- Vault references
- No plaintext PII
- AES-256 encrypted
- Key-managed
- No business logic
No single breach can compromise identity
Server A knows what you owe. Server B knows who you are. Neither server can reconstruct the full picture alone. This is PII isolation by architecture, not by policy.
What Server A Knows
- vault:user_email:a3f2...→ Email (hash only)
- vault:employee_bank:7d1c...→ Bank details (hash only)
- vault:employee_ni:e891...→ NI number (hash only)
- HMAC-SHA256 with HASH_PEPPER
- Session tokens, auth state
- Business logic, calculations
What Server B Knows
- AES-256 encrypted PII blobs
- Vault store / retrieve / verify / delete
- BACS Standard 18 parsing
- No HASH_PEPPER — cannot compute hashes
- No auth state — no sessions
- No business logic — no calculations
What an attacker gets
Hashed references, no plaintext data. Useless without Server B’s decryption keys.
Encrypted blobs with no business context. No way to know what data belongs to whom.
Requires simultaneous compromise of isolated infrastructure with separate credentials, certificates, and network boundaries.
AES-256-CBC. Random IV. Every record.
Every piece of personal data is encrypted with a unique initialisation vector before storage. Keys never leave the key management service. Even database administrators see only ciphertext.
Key Management
AWS KMS or Azure Key Vault. Keys are hardware-backed and never exported. Automatic rotation on schedule.
Per-Record IV
Every encryption uses a unique random initialisation vector. Identical plaintext produces different ciphertext.
No Cache
Decrypted PII is never cached. Every retrieval triggers fresh decryption from the vault.
Crypto-Shredding
Account deletion destroys the encryption key. All associated ciphertext becomes permanently unrecoverable.
Every access. Every retrieval. Immutable.
tPay365 maintains an append-only audit log for all PII operations. No updates, no deletes, no exceptions. Every access is timestamped, attributed, and permanently recorded.
| Timestamp | Actor | Resource | Action | Status |
|---|---|---|---|---|
| 2026-02-10T09:14:22Z | srv-a:payroll-worker | vault:employee_bank:7d1c... | RETRIEVE | AUTHORIZED |
| 2026-02-10T09:14:21Z | srv-a:payroll-worker | vault:user_email:a3f2... | RETRIEVE | AUTHORIZED |
| 2026-02-10T09:12:05Z | srv-a:onboarding | vault:employee_ni:e891... | STORE | AUTHORIZED |
| 2026-02-10T09:11:58Z | unknown:0.0.0.0 | vault:user_email:a3f2... | RETRIEVE | DENIED |
| 2026-02-10T09:10:30Z | srv-a:gdpr-worker | vault:user_pii:b442... | DELETE | AUTHORIZED |
| 2026-02-10T09:09:15Z | srv-a:display-svc | vault:employee_bank:7d1c... | MASKED | AUTHORIZED |
| 2026-02-10T09:08:42Z | admin:compliance | vault:user_email:a3f2... | VERIFY | AUTHORIZED |
| 2026-02-10T09:05:11Z | unknown:192.168.1.99 | vault:employee_ni:e891... | STORE | DENIED |
Built for regulators, not just developers
tPay365 is designed from the ground up to meet UK financial services regulation. Every architectural decision maps to a specific compliance requirement.
FCA Safeguarding
- 100% of customer funds safeguarded in Tier-1 regulated accounts
- Zero commingling with tPay365 operational funds
- Funds recoverable even if tPay365 ceases trading
- Licensed banking partner holds all deposits
- Daily reconciliation and reporting
UK GDPR
- Right to access — full data export within 30 days
- Right to erasure — crypto-shredding on deletion
- Right to portability — structured JSON export
- Data minimisation — only collect what's needed
- Breach notification — 72-hour ICO reporting
PCI-DSS Alignment
- No card data stored directly by tPay365
- Payment processing via PCI-certified partners
- TLS 1.3 for all data in transit
- Network segmentation between services
- Regular penetration testing schedule
Trust nothing. Verify everything.
Every request between tPay365 services is authenticated, authorised, rate-limited, and logged. There are no trusted networks — only verified identities.
All traffic encrypted. Certificate pinning between services.
Server B validates Server A's client certificate. Invalid cert = connection refused.
X-Vault-API-Key header validated with crypto.timingSafeEqual. Never ===.
API key must have required scope for the requested resource. Principle of least privilege.
100 requests/second per API key. 500 burst. 429 on exceed.
// Timing-safe comparison — prevents side-channel attacksconst isValid = crypto.timingSafeEqual(Buffer.from(providedKey),Buffer.from(expectedKey))
Found something? Tell us.
We welcome responsible security research. If you discover a vulnerability, we want to hear from you — and we'll work with you to resolve it quickly.
How to Report
Email security@tpay365.com with details
Include reproduction steps and impact assessment
We acknowledge within 24 hours
We triage within 72 hours and keep you updated
Please do not publicly disclose until we've had 90 days to address the issue.
Scope
In Scope
- Authentication bypass
- PII data exposure
- Server-side request forgery
- Injection vulnerabilities (SQL, XSS, command)
- Privilege escalation
Out of Scope
- Social engineering / phishing
- Denial of service attacks
- Rate limiting bypasses (already documented)
- Issues in third-party dependencies (report upstream)
Security isn't a feature. It's the product.
Every architectural decision serves one purpose: making it mathematically impossible for a single breach to compromise your identity.
security@tpay365.com — PGP key available on request