Data Encryption Policy

Project / Organization: Bilko — Balkan Accounting SaaS Policy Number: POL-SEC-ENC-001 Version: 1.0 Date: 2026-02-23 Author: ~~Compliance~~CTO / Security Architect Status: Draft Reviewers: ~~CTO,~~ DPO, Engineering Lead ~~Next Review:~~ ~~2026-08-23~~ Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	2026-02-23	~~Compliance Architect~~CTO	Initial ~~draft~~encryption —policy for Bilko ~~encryption~~accounting ~~standards~~SaaS

1. Purpose & Scope

~~Purpose:~~ This policy defines ~~minimum~~ encryption standards for all data ~~at rest, in transit, and at the application level across all systems operated~~processed by Bilko. Bilko handles regulated financial data across three jurisdictions (Serbia, Bosnia & Herzegovina, Croatia) including tax IDs, IBAN numbers, and financial transaction records that must meet GDPR, ZZPL, and ZZLP BiH requirements.

Scope:

All ~~systems operated by~~ Bilko ~~(api.bilko.io,~~systems, ~~bilko.io,~~databases, ~~PostgreSQL,~~APIs, ~~Cloudflare R2)~~

~~All employees, contractors,~~backups, and ~~third parties with access to Bilko systems~~

~~All~~ data ~~classified~~in ~~Internal, Confidential, or Restricted (see compliance-framework.md §6)~~

~~Railway PostgreSQL (EU West), Vercel (frontend), Cloudflare R2 (file storage)~~

~~Regulatory basis:~~transit.

2. EncryptionData StandardsClassification & ApprovedEncryption AlgorithmsRequirements

2.1 Approved Algorithms

Symmetric Encryption

EncryptionAES-256 AES-256

~~Use Case~~Level	~~Algorithm~~Label	~~Key Size~~Examples	~~Mode~~	~~Notes~~Required
~~Data at rest (general)~~L4-A	~~AES~~Restricted (Personal)	~~256-bit~~JMBG, OIB	AES-256-GCM	~~Authenticated~~field-level encryption —(prisma-field-encryption) ~~default~~+ HMAC-SHA256 hash column + AES-256 at-rest + TLS 1.3 (See ADR-014)
~~Database disk encryption~~L4-B	~~AES~~Restricted (Business/Financial)	~~256-bit~~PIB, JIB, IBAN	~~XTS~~	~~Railway~~disk-level ~~PostgreSQL~~encryption ~~default~~(Railway) + TLS 1.3 + org-scoping + RBAC + API masking for IBAN (last 4 digits in list views) (See ADR-014)
~~File storage~~L3	~~AES~~Confidential	~~256-bit~~Invoice amounts, bank statements, transaction data	~~GCM~~	~~Cloudflare~~at-rest R2+ ~~server-side~~TLS 1.3
~~Backup encryption~~L2	~~AES~~Internal	~~256-bit~~Email, name, phone, address	~~GCM~~	~~Railway automatic backup encryption~~

~~Asymmetric Encryption~~
in
~~Use Case~~ ~~Algorithm~~ ~~Key Size~~ ~~Notes~~
~~TLS key exchange~~ ~~ECDHE~~ ~~P-256 / P-384~~ ~~Cloudflare + Railway~~ TLS 1.3 minimum

~~JWT signing~~L1 ~~HMAC-SHA-256 (HS256)~~Public ~~256-bit~~Organization display name, public invoice ref ~~JWT_SECRET~~No encryption required (~~32+~~but ~~chars,~~TLS ~~CSPRNG)~~
~~JWT refresh~~ ~~HMAC-SHA-256 (HS256)~~ ~~256-bit~~ ~~JWT_REFRESH_SECRET (separate key)~~
~~Future: JWT asymmetric~~ ~~Ed25519 (EdDSA)~~ ~~256-bit~~ ~~Planned Phase 2 migration~~

~~Hashing & Password Storage~~

~~Use Case~~ ~~Algorithm~~ ~~Parameters~~ ~~Notes~~
~~Password hashing~~ ~~bcrypt~~ ~~cost factor = 12~~ bcrypt.hash(password, 12)
~~Token hashing (refresh tokens)~~ ~~HMAC-SHA-256~~ — ~~Refresh tokens hashed before DB storage~~
~~Data integrity (general)~~ ~~SHA-256~~ — ~~File checksums, non-security hashing~~

~~2.2 Prohibited Algorithms (NEVER USE)~~

~~Algorithm~~ ~~Reason~~
~~MD5~~ ~~Collision attacks (2004+) — completely broken~~
~~SHA-1~~ ~~Collision attacks (2017+)~~
~~DES / 3DES~~ ~~Key size insufficient~~
~~RC4~~ ~~Statistical biases~~
~~ECB mode (any cipher)~~ ~~Leaks data patterns — deterministic~~
~~RSA < 2048-bit~~ ~~Insufficient key strength~~
~~AES-128 for Restricted data~~ ~~Insufficient for financial/tax ID data~~
~~bcrypt < 12 rounds~~ ~~Insufficient work factor~~
~~MD5 for password hashing~~ ~~NEVER — use bcrypt~~transit)

3. ~~Encryption at Rest~~Encryption-in-Transit

~~3.1~~Standards
~~Database~~
~~Encryption~~
Minimum: TLS 1.2 (legacy client support only)

Preferred: TLS 1.3 — enforced via Cloudflare SSL Full (Strict) mode

Cipher suites (TLS 1.3): TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256

Certificate: Let's Encrypt via Cloudflare (auto-renew) for *.bilko.io

HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Scope
Strictconnection

~~Database~~Connection ~~Method~~ ~~Key Management~~ ~~Coverage~~Encryption

~~PostgreSQL~~Browser ~~(Railway~~→ ~~EU West)~~Cloudflare ~~AES-256~~TLS ~~disk encryption~~1.3 (~~Railway~~Cloudflare ~~TDE)~~ ~~Railway-managed~~ ~~All data classifications~~managed)

~~PostgreSQL~~Cloudflare —→ ~~tax~~Railway ~~IDs (PIB/JMBG/OIB/JIB)~~API ~~AES-256-GCM~~TLS ~~application-layer field encryption~~ ~~Environment variable~~1.2+ (~~Railway~~Full ~~secrets)~~ ~~L4 Restricted~~mode)

API → PostgreSQL ~~— IBAN~~(Railway) ~~AES-256-GCM~~ssl=require ~~application-layer~~in ~~field~~DATABASE_URL ~~encryption~~ ~~Environment variable (Railway secrets)~~ ~~L4 Restricted~~string

~~PostgreSQL~~API ~~backups~~→ SEF portal (Serbia) ~~AES-256~~TLS 1.2+ (~~Railway~~Serbian ~~automatic)~~government portal)
API → FINA/HR-FISK (Croatia) ~~Railway-managed~~TLS 1.2+ (FINA PKI)
API → Sentry ~~All~~TLS ~~data~~1.3

What is NOT acceptable

HTTP (unencrypted) for any Bilko endpoint — Cloudflare redirects HTTP → HTTPS

Self-signed certificates in production

TLS 1.0 or TLS 1.1 connections

Disabling certificate verification in API clients

4. Encryption-at-Rest

Database (PostgreSQL on Railway)

Algorithm: AES-256 (Railway managed disk encryption)

Level: Full disk encryption — Railway EU West

Backups: Encrypted using same key before upload to Railway backup storage

Connection: ssl=require — plaintext connection not allowed even from same host

Backup Files

Bilko does not manage its own database backups — Railway handles this

If manual exports are taken for disaster recovery: encrypt with GPG (AES-256) before storing

GPG key stored in Vaultwarden, not in same location as backup files

5. Field-Level Encryption (L4-A: JMBG and OIB Only)

Tiered L4 approach per ADR-014: Field-level encryption applies ONLY to L4-A personal identifiers (JMBG, OIB). L4-B fields (PIB, JIB, IBAN) rely on disk-level encryption and application controls — see Section 5b. Field-level encryption for L4publicly ~~Restricted~~available ~~data:~~business tax IDs (PIB, JIB) is disproportionate per GDPR Article 32.

Field-level encryption is applied to JMBG and OIB BEFORE writing to the database. The database column stores only ciphertext. The application decrypts on read.

Algorithm

Algorithm:
AES-256-GCM (authenticated encryption — provides confidentiality + integrity)

IV: 12 bytes, randomly generated per encryption operation

Key: 32 bytes (256 bits), stored in FIELD_ENCRYPTION_KEY environment variable (Railway secret)

Output format: base64(iv):base64(authTag):base64(ciphertext) stored as TEXT column

Implementation

// Tax IDs and bank account numbers encrypted at application layer // In addition to Railway disk encryption import crypto{ createCipheriv, createDecipheriv, randomBytes } from 'crypto'; asyncconst ALGORITHM = 'aes-256-gcm' function encryptRestrictedField(getKey(): Buffer { const hex = process.env.FIELD_ENCRYPTION_KEY if (!hex || hex.length !== 64) { throw new Error('FIELD_ENCRYPTION_KEY must be a 64-character hex string (32 bytes)') } return Buffer.from(hex, 'hex') } export function encryptField(plaintext: string): Promise<string> { const key = Buffer.from(process.env.FIELD_ENCRYPTION_KEY!, 'hex'getKey(); // 32 bytes const iv = crypto.randomBytes(12); // 96-bit IV for GCM const cipher = crypto.createCipheriv('aes-256-gcm',ALGORITHM, key, iv); const ciphertextencrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]); const tagauthTag = cipher.getAuthTag(); // Store: base64(iv || tag || ciphertext) return Buffer.concat([iv, tag,authTag, ciphertext])encrypted].map((b) => b.toString('base64');).join(':') } asyncexport function decryptRestrictedField(stored:decryptField(ciphertext: string): Promise<string> { const key = Buffer.from(process.env.FIELD_ENCRYPTION_KEY!, 'hex'getKey(); const buf[ivB64, tagB64, encB64] = Buffer.from(stored, ciphertext.split('base64':'); const iv = buf.subarray(0,Buffer.from(ivB64, 12);'base64') const tagauthTag = buf.subarray(12,Buffer.from(tagB64, 28);'base64') const ciphertextencrypted = buf.subarray(28);Buffer.from(encB64, 'base64') const decipher = crypto.createDecipheriv('aes-256-gcm',ALGORITHM, key, iv); decipher.setAuthTag(tag);authTag) return Buffer.concat([decipher.update(ciphertext) +encrypted), decipher.final()]).toString('utf8'); }

~~3.2~~Fields ~~File~~Subject ~~Storage~~to Field-Level Encryption (L4-A)

~~Storage~~Field ~~Method~~Table ~~Key Management~~Jurisdiction Notes

~~Cloudflare R2~~jmbg (~~receipts, invoice PDFs)~~JMBG) ~~AES-256 server-side (Cloudflare default)~~Contact ~~Cloudflare-managed~~RS, BA EUSerbian/BiH ~~region~~citizen ~~bucket~~number ~~required~~— irrevocable personal identifier, encodes DOB/gender/region. Stored encrypted + jmbgHash HMAC column.
oib (OIB) Contact HR Croatian personal/company tax ID — unique cross-system identifier. Stored encrypted + oibHash HMAC column.

~~3.3~~Fields ~~Backup~~NOT ~~Encryption~~

~~Railway provides automatic daily PostgreSQL backups, encrypted with AES-256. Backup retention: 30 days (Railway default). Custom backup strategy~~Subject to ~~be implemented in Phase 2 with separate backup encryption key stored in Railway environment secrets.~~

~~4. Encryption in Transit~~

~~4.1 TLS Configuration~~

~~Minimum TLS version:~~

~~External-facing (api.bilko.io, bilko.io): TLS 1.3 (enforced via Cloudflare)~~

~~Railway internal: TLS 1.3~~

~~Approved cipher suites (TLS 1.3):~~

TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 (minimum)

~~HSTS configuration:~~

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

~~HTTP redirect:~~ ~~All HTTP traffic redirected to HTTPS (301). No HTTP allowed in production.~~

~~Prohibited:~~

~~TLS 1.0 and TLS 1.1 — prohibited~~

~~SSL 2.0 / SSL 3.0 — prohibited~~

~~RC4 cipher suites — prohibited~~

~~4.2 Cookie Security~~

~~All session cookies set with:~~

res.cookie('refreshToken', token, { httpOnly: true, // Not accessible to JavaScript secure: true, // HTTPS only sameSite: 'strict', // CSRF protection maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days });

~~4.3 API Security Headers (Helmet.js)~~

app.use(helmet({ hsts: { maxAge: 63072000, includeSubDomains: true, preload: true }, contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], scriptSrc: ["'self'", "'unsafe-inline'"], styleSrc: ["'self'", "'unsafe-inline'"], imgSrc: ["'self'", "data:", "https:"], }, }, }));

~~5. Application-Level Encryption~~

~~5.1~~ Field-Level Encryption ~~Requirements~~(L4-B — Disk-Level + Controls)

~~Required~~Per ADR-014, the following L4 fields are protected by disk-level encryption (Railway AES-256) plus application-layer controls rather than field-level encryption. Field-level encryption for ~~all~~these L4fields ~~Restricted~~is ~~fields:~~disproportionate: PIB and JIB are publicly searchable on government registries; IBAN is routinely shared for payment.
~~businessperson/business~~ Disk

Field Table ~~Reason~~Jurisdiction Controls

taxId / registrationNumber (~~organization tax ID: PIB/JIB/OIB)~~PIB) organizationsContact, Organization ~~National~~RS Disk ~~identifier~~encryption + org-scoping + RBAC + TLS

taxId / registrationNumber (~~contact tax ID: PIB/JMBG/OIB/~~JIB) contactsContact, Organization ~~National~~BA Disk ~~identifier~~encryption + org-scoping + RBAC + TLS

iban organizations, contacts, bankAccountsBankAccount ~~Bank account number~~
totpSecretAll users ~~2FA~~encryption ~~seed~~+ —org-scoping ~~must~~+ ~~not~~RBAC be+ ~~readable~~TLS + API masking (last 4 digits in list views)

~~5.2 JWT Token Encryption~~Searchability

~~JWTs~~L4-A ~~signed~~encrypted fields (JMBG, OIB) cannot be searched with ~~HMAC-SHA-256~~SQL ~~(HS256)~~LIKE ~~using~~or JWT_SECRET:equality. Exact-match lookup uses HMAC hash columns:

JWT_SECRET:Store ~~32+~~a ~~character random string (CSPRNG), stored in Railway secrets~~

JWT_REFRESH_SECRET~~: Separate 32+ character key — never same as JWT_SECRET~~

~~Access token payload:~~ { sub: userId, org: organizationId, role, iat, exp }

~~NO PII in JWT payload — no email, name, tax ID~~

~~Refresh tokens stored as~~deterministic HMAC-~~SHA-256~~SHA256 hash in ~~database — raw token never stored.~~

~~5.3 Password Hashing~~

import bcrypt from 'bcrypt';jmbgHash // ~~Registration~~oibHash ~~const~~column (separate FIELD_HMAC_KEY)
Search is performed on the hash =column
~~await~~
Full ~~bcrypt.hash(plainPassword,~~plaintext ~~12);~~is //decrypted ~~Login~~only ~~verification~~when ~~const~~displaying ~~isValid~~to =an ~~await~~authorized ~~bcrypt.compare(plainPassword,~~user
~~storedHash);~~

~~bcrypt parameters: cost factor 12. Never downgrade below 12.~~

6. ~~Key~~Password ~~Management Summary~~Hashing

~~Full policy:~~ ~~key-management-policy.md~~
upwardasbybcryptchars,1HaveIBeenPwned k-anonymityfirstof

~~Key Type~~Parameter ~~Storage~~ ~~Rotation~~ ~~Owner~~Value

JWT_SECRETAlgorithm ~~Railway environment secret~~ ~~Quarterly~~ ~~Security~~bcrypt

JWT_REFRESH_SECRETCost factor ~~Railway~~12 ~~environment~~(adaptable ~~secret~~ ~~Quarterly~~ ~~Security~~hardware improves)

FIELD_ENCRYPTION_KEY ~~(tax IDs, IBAN)~~Salt ~~Railway~~Automatically ~~environment~~generated ~~secret~~ ~~Annual~~ ~~Security~~library (16 bytes)

~~PostgreSQL~~Minimum ~~disk~~password ~~encryption~~entropy ~~Railway-managed~~8 ~~(TDE)~~ ~~Railway-managed~~ ~~Railway~~uppercase, 1 number, 1 special character

~~Cloudflare~~Breach ~~R2 encryption~~check ~~Cloudflare-managed~~ ~~Cloudflare-managed~~ ~~Cloudflare~~
~~TLS certificates~~API (~~Cloudflare)~~ ~~Cloudflare~~— ~~Certificate~~only ~~Manager~~ 905 ~~days~~chars ~~(automatic)~~ ~~Cloudflare~~SHA1 hash sent)

~~Secrets never committed to git.~~Never: .envStore ~~files~~plaintext inpasswords, .gitignore.use ~~All secrets managed via Railway environment variables (production)~~MD5 or .env.localSHA1 ~~(development,~~for ~~git-ignored).~~passwords, use bcrypt cost factor below 10.

7. ~~Cryptographic~~JWT ~~Inventory~~Signing
RS256(RSA+SHA-256)2048-bitRSA,stored StoredinJWT_PUBLIC_KEY(for15 7

~~System~~Parameter ~~Algorithm~~ ~~Key Size~~ ~~Mode~~ ~~Key Location~~ ~~Next Rotation~~Value

~~PostgreSQL disk (Railway)~~Algorithm ~~AES-256~~ ~~256-bit~~ ~~XTS~~ ~~Railway-managed~~ ~~Railway-managed~~— asymmetric

~~Tax~~Private ~~ID field encryption~~key ~~AES-256-GCM~~ ~~256-bit~~ ~~GCM~~ in JWT_PRIVATE_KEY Railway ~~env~~ secret ~~Annual~~

~~IBAN~~Public ~~field encryption~~key ~~AES-256-GCM~~ ~~256-bit~~ ~~GCM~~ Railway ~~env~~secret ~~secret~~ ~~Annual~~verification)

~~Cloudflare~~Access R2token lifetime ~~AES-256~~ ~~256-bit~~ — ~~Cloudflare-managed~~ ~~Cloudflare-managed~~
~~External TLS (Cloudflare)~~ ~~ECDSA P-256~~ ~~256-bit~~ — ~~Cloudflare~~ ~~90 days (auto)~~
~~JWT signing~~ ~~HMAC-SHA-256~~ ~~256-bit~~ — ~~Railway env secret~~ ~~Quarterly~~minutes

Refresh token ~~signing~~lifetime ~~HMAC-SHA-256~~ ~~256-bit~~ — ~~Railway env secret~~ ~~Quarterly~~days

~~Password~~Key ~~hashing~~rotation ~~bcrypt~~Annually or on compromise

Why RS256 over HS256: RS256 allows future token verification by external services without sharing the signing secret.

8. Monetary Data Integrity

Financial amounts must never be stored as floating-point types due to rounding errors in financial calculations.

Parameter Standard
Database type ~~cost=12~~NUMERIC(19,4) — PostgreSQL exact decimal
Application type Decimal.js library — not JavaScript number
Rounding ~~N/A~~Banker's rounding (round half to even)
Currency storage ~~N/A~~ISO 4217 code (RSD, BAM, EUR) in separate column

8.9. ~~Financial~~Key ~~Data~~Management ~~Integrity~~Summary

~~Financial~~Keys ~~data~~are ~~requires~~managed ~~not~~per ~~just~~the ~~confidentiality~~Key ~~but~~Management ~~also~~Policy ~~integrity.~~(key-management-policy.md). ~~Bilko~~Encryption ~~enforces:~~
keys

~~NUMERIC(19,4) for all monetary amounts~~ —must never ~~float~~be:

Committed to source code repositories

Logged in application logs

Sent over unencrypted channels

Stored outside Railway environment variables or ~~JavaScript number. Prevents rounding errors in VAT calculations.~~Vaultwarden

~~Immutable LoggedAction table~~ ~~— all mutations append-only with old/new values. Enables financial audit.~~

~~Double-entry enforcement~~ ~~— debit = credit validated at backend. Prevents imbalanced entries.~~

~~Exchange rate locking~~ ~~— rates stored at transaction date. Historical accuracy preserved.~~

9.10. ~~Exception~~Prohibited ~~Process~~Algorithms

~~Exceptions~~
~~for:~~ ~~IBAN,TOTPsecrets,password hashes) — no exceptions.~~

~~time.~~

Algorithm Status Reason
MD5 PROHIBITED Cryptographically broken
SHA-1 PROHIBITED for signing/hashing sensitive data Collision attacks demonstrated
DES / 3DES PROHIBITED Insufficient key length
RC4 PROHIBITED Multiple vulnerabilities
RSA with key < 2048 bits PROHIBITED Insufficient for current threat model
AES-128 PERMITTED (not ~~permitted~~preferred) AES-256 required for L4 Restricted data
AES-256-CBC PERMITTED with caution GCM preferred (~~tax~~provides ~~IDs,~~authentication)

AES-256-GCM ~~Exception request process:~~

~~Submit to: [email protected]~~

~~Required: system affected, algorithm excepted from, business justification, risk assessment, compensating controls, proposed duration (max 12 months)~~

~~Approval: CTO~~

~~Log:~~ /docs/security/exceptions.md

~~Review: Quarterly~~

~~Active exceptions:~~REQUIRED ~~None~~for atL4 ~~this~~fields
Authenticated encryption

Approval
~~Architect~~

Role Name ~~Date~~Signature ~~Signature~~Date

Author ~~Compliance~~CTO 2026-02-23

~~CTO~~Reviewer (DPO)

~~DPO~~Reviewer (Engineering Lead)

~~Engineering Lead~~Approver CEO

Data Encryption Policy

Data Encryption Policy

Document History

1. Purpose & Scope

2. EncryptionData StandardsClassification & ApprovedEncryption AlgorithmsRequirements

2.1 Approved Algorithms

Symmetric Encryption

Asymmetric Encryption

Hashing & Password Storage

2.2 Prohibited Algorithms (NEVER USE)

3. Encryption at RestEncryption-in-Transit

3.1Standards

Scope

What is NOT acceptable

4. Encryption-at-Rest

Database (PostgreSQL on Railway)

Backup Files

5. Field-Level Encryption (L4-A: JMBG and OIB Only)

Algorithm

Implementation

3.2Fields FileSubject Storageto Field-Level Encryption (L4-A)

3.3Fields BackupNOT Encryption

4. Encryption in Transit

4.1 TLS Configuration

4.3 API Security Headers (Helmet.js)

5. Application-Level Encryption

5.1 Field-Level Encryption Requirements(L4-B — Disk-Level + Controls)

5.2 JWT Token EncryptionSearchability

5.3 Password Hashing

6. KeyPassword Management SummaryHashing

7. CryptographicJWT InventorySigning

8. Monetary Data Integrity

8.9. FinancialKey DataManagement IntegritySummary

9.10. ExceptionProhibited ProcessAlgorithms

Approval

~~Use Case~~	~~Algorithm~~	~~Key Size~~	~~Notes~~
~~TLS key exchange~~	~~ECDHE~~	~~P-256 / P-384~~	~~Cloudflare + Railway~~ TLS 1.3 minimum
~~JWT signing~~L1	~~HMAC-SHA-256 (HS256)~~Public	~~256-bit~~Organization display name, public invoice ref	~~JWT_SECRET~~No encryption required (~~32+~~but ~~chars,~~TLS ~~CSPRNG)~~
~~JWT refresh~~	~~HMAC-SHA-256 (HS256)~~	~~256-bit~~	~~JWT_REFRESH_SECRET (separate key)~~
~~Future: JWT asymmetric~~	~~Ed25519 (EdDSA)~~	~~256-bit~~	~~Planned Phase 2 migration~~

~~Use Case~~	~~Algorithm~~	~~Parameters~~	~~Notes~~
~~Password hashing~~	~~bcrypt~~	~~cost factor = 12~~	`bcrypt.hash(password, 12)`
~~Token hashing (refresh tokens)~~	~~HMAC-SHA-256~~	—	~~Refresh tokens hashed before DB storage~~
~~Data integrity (general)~~	~~SHA-256~~	—	~~File checksums, non-security hashing~~

~~Algorithm~~	~~Reason~~
~~MD5~~	~~Collision attacks (2004+) — completely broken~~
~~SHA-1~~	~~Collision attacks (2017+)~~
~~DES / 3DES~~	~~Key size insufficient~~
~~RC4~~	~~Statistical biases~~
~~ECB mode (any cipher)~~	~~Leaks data patterns — deterministic~~
~~RSA < 2048-bit~~	~~Insufficient key strength~~
~~AES-128 for Restricted data~~	~~Insufficient for financial/tax ID data~~
~~bcrypt < 12 rounds~~	~~Insufficient work factor~~
~~MD5 for password hashing~~	~~NEVER — use bcrypt~~transit)

~~Database~~Connection	~~Method~~	~~Key Management~~	~~Coverage~~Encryption
~~PostgreSQL~~Browser ~~(Railway~~→ ~~EU West)~~Cloudflare	~~AES-256~~TLS ~~disk encryption~~1.3 (~~Railway~~Cloudflare ~~TDE)~~	~~Railway-managed~~	~~All data classifications~~managed)
~~PostgreSQL~~Cloudflare —→ ~~tax~~Railway ~~IDs (PIB/JMBG/OIB/JIB)~~API	~~AES-256-GCM~~TLS ~~application-layer field encryption~~	~~Environment variable~~1.2+ (~~Railway~~Full ~~secrets)~~	~~L4 Restricted~~mode)
API → PostgreSQL ~~— IBAN~~(Railway)	~~AES-256-GCM~~`ssl=require` ~~application-layer~~in ~~field~~DATABASE_URL ~~encryption~~	~~Environment variable (Railway secrets)~~	~~L4 Restricted~~string
~~PostgreSQL~~API ~~backups~~→ SEF portal (Serbia)	~~AES-256~~TLS 1.2+ (~~Railway~~Serbian ~~automatic)~~government portal)
API → FINA/HR-FISK (Croatia)	~~Railway-managed~~TLS 1.2+ (FINA PKI)
API → Sentry	~~All~~TLS ~~data~~1.3

~~Storage~~Field	~~Method~~Table	~~Key Management~~Jurisdiction	Notes
~~Cloudflare R2~~`jmbg` (~~receipts, invoice PDFs)~~JMBG)	~~AES-256 server-side (Cloudflare default)~~Contact	~~Cloudflare-managed~~RS, BA	EUSerbian/BiH ~~region~~citizen ~~bucket~~number ~~required~~— irrevocable personal identifier, encodes DOB/gender/region. Stored encrypted + `jmbgHash` HMAC column.
`oib` (OIB)	Contact	HR	Croatian personal/company tax ID — unique cross-system identifier. Stored encrypted + `oibHash` HMAC column.

Field	Table	~~Reason~~Jurisdiction	Controls
`taxId` / `registrationNumber` (~~organization tax ID: PIB/JIB/OIB)~~PIB)	`organizations`Contact, Organization	~~National~~RS	Disk ~~identifier~~encryption + org-scoping + RBAC + TLS
`taxId` / `registrationNumber` (~~contact tax ID: PIB/JMBG/OIB/~~JIB)	`contacts`Contact, Organization	~~National~~BA	Disk ~~identifier~~encryption + org-scoping + RBAC + TLS
`iban`	`organizations`, `contacts`, `bankAccounts`BankAccount	~~Bank account number~~
`totpSecret`All	`users`	~~2FA~~encryption ~~seed~~+ —org-scoping ~~must~~+ ~~not~~RBAC be+ ~~readable~~TLS + API masking (last 4 digits in list views)

~~Key Type~~Parameter	~~Storage~~	~~Rotation~~	~~Owner~~Value
`JWT_SECRET`Algorithm	~~Railway environment secret~~	~~Quarterly~~	~~Security~~bcrypt
`JWT_REFRESH_SECRET`Cost factor	~~Railway~~12 ~~environment~~(adaptable ~~secret~~	~~Quarterly~~	~~Security~~hardware improves)
`FIELD_ENCRYPTION_KEY` ~~(tax IDs, IBAN)~~Salt	~~Railway~~Automatically ~~environment~~generated ~~secret~~	~~Annual~~	~~Security~~library (16 bytes)
~~PostgreSQL~~Minimum ~~disk~~password ~~encryption~~entropy	~~Railway-managed~~8 ~~(TDE)~~	~~Railway-managed~~	~~Railway~~uppercase, 1 number, 1 special character
~~Cloudflare~~Breach ~~R2 encryption~~check	~~Cloudflare-managed~~	~~Cloudflare-managed~~	~~Cloudflare~~
~~TLS certificates~~API (~~Cloudflare)~~	~~Cloudflare~~— ~~Certificate~~only ~~Manager~~	905 ~~days~~chars ~~(automatic)~~	~~Cloudflare~~SHA1 hash sent)

~~System~~Parameter	~~Algorithm~~	~~Key Size~~	~~Mode~~	~~Key Location~~	~~Next Rotation~~Value
~~PostgreSQL disk (Railway)~~Algorithm	~~AES-256~~	~~256-bit~~	~~XTS~~	~~Railway-managed~~	~~Railway-managed~~— asymmetric
~~Tax~~Private ~~ID field encryption~~key	~~AES-256-GCM~~	~~256-bit~~	~~GCM~~	in `JWT_PRIVATE_KEY` Railway ~~env~~ secret	~~Annual~~
~~IBAN~~Public ~~field encryption~~key	~~AES-256-GCM~~	~~256-bit~~	~~GCM~~	Railway ~~env~~secret ~~secret~~	~~Annual~~verification)
~~Cloudflare~~Access R2token lifetime	~~AES-256~~	~~256-bit~~	—	~~Cloudflare-managed~~	~~Cloudflare-managed~~
~~External TLS (Cloudflare)~~	~~ECDSA P-256~~	~~256-bit~~	—	~~Cloudflare~~	~~90 days (auto)~~
~~JWT signing~~	~~HMAC-SHA-256~~	~~256-bit~~	—	~~Railway env secret~~	~~Quarterly~~minutes
Refresh token ~~signing~~lifetime	~~HMAC-SHA-256~~	~~256-bit~~	—	~~Railway env secret~~	~~Quarterly~~days
~~Password~~Key ~~hashing~~rotation	~~bcrypt~~Annually or on compromise

Parameter	Standard
Database type	~~cost=12~~`NUMERIC(19,4)` — PostgreSQL exact decimal
Application type	`Decimal.js` library — not JavaScript `number`
Rounding	~~N/A~~Banker's rounding (round half to even)
Currency storage	~~N/A~~ISO 4217 code (RSD, BAM, EUR) in separate column

Algorithm	Status	Reason
MD5	PROHIBITED	Cryptographically broken
SHA-1	PROHIBITED for signing/hashing sensitive data	Collision attacks demonstrated
DES / 3DES	PROHIBITED	Insufficient key length
RC4	PROHIBITED	Multiple vulnerabilities
RSA with key < 2048 bits	PROHIBITED	Insufficient for current threat model
AES-128	PERMITTED (not ~~permitted~~preferred)	AES-256 required for L4 Restricted data
AES-256-CBC	PERMITTED with caution	GCM preferred (~~tax~~provides ~~IDs,~~authentication)
AES-256-GCM	~~Exception request process:~~ ~~Submit to: [email protected]~~ ~~Required: system affected, algorithm excepted from, business justification, risk assessment, compensating controls, proposed duration (max 12 months)~~ ~~Approval: CTO~~ ~~Log:~~ `/docs/security/exceptions.md` ~~Review: Quarterly~~ ~~Active exceptions:~~REQUIRED ~~None~~for atL4 ~~this~~fields	Authenticated encryption

Role	Name	~~Signature~~Date
Author	~~Compliance~~CTO	2026-02-23
~~CTO~~Reviewer (DPO)
~~DPO~~Reviewer (Engineering Lead)
~~Engineering Lead~~Approver	CEO