Data Lifecycle
From the moment personal data enters tPay365 to the moment it's permanently destroyed. Every stage is encrypted, audited, and controlled.
Data Flow
01
Collection
PII collected via API or BACS file upload. Validated against Zod schemas with strict mode.
02
Encryption
AES-256-CBC with random IV per record. Keys managed by AWS KMS / Azure Key Vault.
03
Storage
Encrypted blobs stored in Server B's dedicated PostgreSQL. Never on Server A.
04
Retrieval
Fresh decryption on every read. Never cached. Always audit-logged.
05
Deletion
Crypto-shredding: encryption key destroyed. Ciphertext permanently unrecoverable.
Encryption Specification
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv)
const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()])
// Store: { iv, ciphertext, key_version }Masking Rules
When PII needs to be displayed in the UI or returned via the masked endpoint, tPay365 applies deterministic masking patterns. The original plaintext is never sent to the client.
| Field | Pattern | Example |
|---|---|---|
| First 2 chars + "****@" + domain | al****@example.com | |
| Account number | "****" + last 4 digits | ****5678 |
| Sort code | First 2 digits + "-****" | 12-**** |
| Phone | "****" + last 4 digits | ****0123 |
| NI number | "****" + last 4 chars | ****456C |
Vault API Contract
POST
/vault/storeGET
/vault/{ref}POST
/vault/{ref}/verifyGET
/vault/{ref}/maskedPOST
/vault/batch-retrieveDELETE
/vault/{ref}Rate limit: 100 req/s per API key|Burst: 500
Data Retention
Active accountsPII retained while account is active
Inactive accountsPII retained for 7 years (UK financial regulations)
Deleted accountsCrypto-shredding within 30 days of deletion request
Audit logsRetained permanently (append-only, no PII in logs)
BACS filesParsed data stored encrypted, raw files deleted after processing