Data Encryption Policy

Project / Organization: Bilko — Balkan Accounting SaaS Policy Number: POL-SEC-ENC-001 Version: 1.0 Date: 2026-02-23 Author: ~~CTO / Security~~Compliance Architect Status: Draft Reviewers: CTO, DPO, Engineering Lead Next Review: 2026-08-23 Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	2026-02-23	~~CTO~~Compliance Architect	Initial ~~encryption~~draft ~~policy for~~— Bilko ~~accounting~~encryption ~~SaaS~~standards

1. Purpose & Scope

Purpose: This policy defines minimum encryption standards for all data ~~processed~~at rest, in transit, and at the application level across all systems operated by Bilko. Bilko handles regulated financial data across three jurisdictions (Serbia, Bosnia & Herzegovina, Croatia) including tax IDs, IBAN numbers, and financial transaction records that must meet GDPR, ZZPL, and ZZLP BiH requirements.

Scope:

All systems operated by Bilko ~~systems,~~(api.bilko.io, ~~databases,~~bilko.io, ~~APIs,~~PostgreSQL, ~~backups,~~Cloudflare R2)

All employees, contractors, and third parties with access to Bilko systems

All data inclassified ~~transit.~~Internal, Confidential, or Restricted (see compliance-framework.md §6)

Railway PostgreSQL (EU West), Vercel (frontend), Cloudflare R2 (file storage)

Regulatory basis:

2. DataEncryption ClassificationStandards & Approved Algorithms

2.1 Approved Algorithms

Symmetric Encryption Requirements

~~Requiredfield-leveldisk-levelat-rest~~

~~Level~~Use Case	~~Label~~Algorithm	~~Examples~~Key Size	~~Encryption~~Mode	Notes
~~L4-A~~Data at rest (general)	~~Restricted (Personal)~~AES	~~JMBG, OIB~~256-bit	~~AES-256-~~GCM	Authenticated encryption ~~(prisma-field-encryption)~~— ~~+ HMAC-SHA256 hash column + AES-256 at-rest + TLS 1.3 (See ADR-014)~~default
~~L4-B~~Database disk encryption	~~Restricted (Business/Financial)~~AES	~~PIB, JIB, IBAN~~256-bit	~~AES-256~~XTS	Railway ~~encryption~~PostgreSQL ~~(Railway) + TLS 1.3 + org-scoping + RBAC + API masking for IBAN (last 4 digits in list views) (See ADR-014)~~default
L3File storage	~~Confidential~~AES	~~Invoice amounts, bank statements, transaction data~~256-bit	~~AES-256~~GCM	Cloudflare +R2 ~~TLS 1.3~~server-side
L2Backup encryption	~~Internal~~AES	~~Email, name, phone, address~~256-bit	GCM	Railway automatic backup encryption

Asymmetric Encryption

~~transit)~~

Use Case	Algorithm	Key Size	Notes
TLS key exchange	ECDHE	P-256 / P-384	Cloudflare + Railway TLS 1.3 ~~minimum~~
L1JWT signing	~~Public~~HMAC-SHA-256 (HS256)	~~Organization display name, public invoice ref~~256-bit	~~No encryption required~~JWT_SECRET (~~but~~32+ ~~TLS~~chars, inCSPRNG)
JWT refresh	HMAC-SHA-256 (HS256)	256-bit	JWT_REFRESH_SECRET (separate key)
Future: JWT asymmetric	Ed25519 (EdDSA)	256-bit	Planned Phase 2 migration

Hashing & Password Storage

Use Case	Algorithm	Parameters	Notes
Password hashing	bcrypt	cost factor = 12	`bcrypt.hash(password, 12)`
Token hashing (refresh tokens)	HMAC-SHA-256	—	Refresh tokens hashed before DB storage
Data integrity (general)	SHA-256	—	File checksums, non-security hashing

2.2 Prohibited Algorithms (NEVER USE)

Algorithm	Reason
MD5	Collision attacks (2004+) — completely broken
SHA-1	Collision attacks (2017+)
DES / 3DES	Key size insufficient
RC4	Statistical biases
ECB mode (any cipher)	Leaks data patterns — deterministic
RSA < 2048-bit	Insufficient key strength
AES-128 for Restricted data	Insufficient for financial/tax ID data
bcrypt < 12 rounds	Insufficient work factor
MD5 for password hashing	NEVER — use bcrypt

3. Encryption-in-TransitEncryption at Rest

Standards

3.1

Database

~~Minimum:~~ ~~TLS 1.2 (legacy client support only)~~

~~Preferred:~~ ~~TLS 1.3 — enforced via Cloudflare SSL Full (Strict) mode~~

~~Cipher suites (TLS 1.3):~~ ~~TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256~~

~~Certificate:~~ ~~Let's Encrypt via Cloudflare (auto-renew) for *.bilko.io~~

~~HSTS:~~ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

ScopeEncryption

~~mode)string~~

~~Connection~~Database	~~Encryption~~Method	Key Management	Coverage
~~Browser~~PostgreSQL →(Railway ~~Cloudflare~~EU West)	~~TLS~~AES-256 ~~1.3~~disk encryption (~~Cloudflare~~Railway ~~managed)~~TDE)	Railway-managed	All data classifications
~~Cloudflare~~PostgreSQL →— ~~Railway~~tax ~~API~~IDs (PIB/JMBG/OIB/JIB)	~~TLS~~AES-256-GCM ~~1.2+~~application-layer field encryption	Environment variable (~~Full~~Railway ~~Strict~~secrets)	L4 Restricted
~~API →~~ PostgreSQL ~~(Railway)~~— IBAN	`ssl=require`AES-256-GCM inapplication-layer ~~DATABASE_URL~~field ~~connection~~encryption	Environment variable (Railway secrets)	L4 Restricted
~~API~~PostgreSQL ~~→ SEF portal (Serbia)~~backups	~~TLS 1.2+~~AES-256 (~~Serbian~~Railway ~~government portal)~~
~~API → FINA/HR-FISK (Croatia)~~automatic)	~~TLS 1.2+ (FINA PKI)~~
~~API → Sentry~~Railway-managed	~~TLS~~All ~~1.3~~data

What is NOT acceptable

~~HTTP (unencrypted) for any Bilko endpoint — Cloudflare redirects HTTP → HTTPS~~

~~Self-signed certificates in production~~

~~TLS 1.0 or TLS 1.1 connections~~

~~Disabling certificate verification in API clients~~

4. Encryption-at-Rest

Database (PostgreSQL on Railway)

~~Algorithm:~~ ~~AES-256 (Railway managed disk encryption)~~

~~Level:~~ ~~Full disk encryption — Railway EU West~~

~~Backups:~~ ~~Encrypted using same key before upload to Railway backup storage~~

~~Connection:~~ ssl=require ~~— plaintext connection not allowed even from same host~~

Backup Files

~~Bilko does not manage its own database backups — Railway handles this~~

~~If manual exports are taken for disaster recovery: encrypt with GPG (AES-256) before storing~~

~~GPG key stored in Vaultwarden, not in same location as backup files~~

5. Field-Level Encryption (L4-A: JMBG and OIB Only)

~~Tiered L4 approach per ADR-014:~~ ~~Field-level encryption applies ONLY to L4-A personal identifiers (JMBG, OIB). L4-B fields (PIB, JIB, IBAN) rely on disk-level encryption and application controls — see Section 5b.~~ Field-level encryption for ~~publicly~~L4 ~~available~~Restricted ~~business~~data:
~~tax~~
// Tax IDs (PIB,and JIB)bank isaccount disproportionatenumbers perencrypted GDPRat Articleapplication 32.
layer

// Field-levelIn addition to Railway disk encryption
is applied to JMBG and OIB BEFORE writing to the database. The database column stores only ciphertext. The application decrypts on read.

Algorithm


Algorithm: AES-256-GCM (authenticated encryption — provides confidentiality + integrity)

IV: 12 bytes, randomly generated per encryption operation

Key: 32 bytes (256 bits), stored in FIELD_ENCRYPTION_KEY environment variable (Railway secret)

Output format: base64(iv):base64(authTag):base64(ciphertext) stored as TEXT column


Implementation

import { createCipheriv, createDecipheriv, randomBytes }crypto from 'crypto';

const ALGORITHM = 'aes-256-gcm'async function getKey(): Buffer {
  const hex = process.env.FIELD_ENCRYPTION_KEY
  if (!hex || hex.length !== 64) {
    throw new Error('FIELD_ENCRYPTION_KEY must be a 64-character hex string (32 bytes)')
  }
  return Buffer.from(hex, 'hex')
}

export function encryptField(encryptRestrictedField(plaintext: string): Promise<string> {
  const key = getKey(Buffer.from(process.env.FIELD_ENCRYPTION_KEY!, 'hex'); // 32 bytes
  const iv = crypto.randomBytes(12); // 96-bit IV for GCM
  const cipher = crypto.createCipheriv(ALGORITHM,'aes-256-gcm', key, iv);
  const encryptedciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
  const authTagtag = cipher.getAuthTag();
  // Store: base64(iv || tag || ciphertext)
  return Buffer.concat([iv, authTag,tag, encrypted]ciphertext]).map((b) => b.toString('base64')).join(':');
}

exportasync function decryptField(ciphertext:decryptRestrictedField(stored: string): Promise<string> {
  const key = getKey(Buffer.from(process.env.FIELD_ENCRYPTION_KEY!, 'hex');
  const [ivB64, tagB64, encB64]buf = ciphertext.split(Buffer.from(stored, ':'base64');
  const iv = Buffer.from(ivB64,buf.subarray(0, 'base64')12);
  const authTagtag = Buffer.from(tagB64,buf.subarray(12, 'base64')28);
  const encryptedciphertext = Buffer.from(encB64, 'base64')buf.subarray(28);
  const decipher = crypto.createDecipheriv(ALGORITHM,'aes-256-gcm', key, iv);
  decipher.setAuthTag(authTag)tag);
  return Buffer.concat([decipher.update(encrypted),ciphertext) + decipher.final()]).toString('utf8');
}

Fields3.2 SubjectFile to Field-LevelStorage Encryption (L4-A)









FieldStorage
TableMethod
JurisdictionKey Management
Notes




jmbgCloudflare R2 (JMBG)receipts, invoice PDFs)
ContactAES-256 server-side (Cloudflare default)
RS, BACloudflare-managed
Serbian/BiHEU citizenregion numberbucket — irrevocable personal identifier, encodes DOB/gender/region. Stored encrypted + jmbgHash HMAC column.
oib (OIB) Contact HR Croatian personal/company tax ID — unique cross-system identifier. Stored encrypted + oibHash HMAC column.required



Fields3.3 NOTBackup SubjectEncryption

Railway provides automatic daily PostgreSQL backups, encrypted with AES-256. Backup retention: 30 days (Railway default). Custom backup strategy to be implemented in Phase 2 with separate backup encryption key stored in Railway environment secrets.


4. Encryption in Transit

4.1 TLS Configuration

Minimum TLS version:


External-facing (api.bilko.io, bilko.io): TLS 1.3 (enforced via Cloudflare)

Railway internal: TLS 1.3


Approved cipher suites (TLS 1.3):

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256 (minimum)

HSTS configuration:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

HTTP redirect: All HTTP traffic redirected to HTTPS (301). No HTTP allowed in production.

Prohibited:


TLS 1.0 and TLS 1.1 — prohibited

SSL 2.0 / SSL 3.0 — prohibited

RC4 cipher suites — prohibited


4.2 Cookie Security

All session cookies set with:

res.cookie('refreshToken', token, {
  httpOnly: true,    // Not accessible to JavaScript
  secure: true,      // HTTPS only
  sameSite: 'strict', // CSRF protection
  maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
});

4.3 API Security Headers (Helmet.js)

app.use(helmet({
  hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "'unsafe-inline'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
    },
  },
}));


5. Application-Level Encryption

5.1 Field-Level Encryption (L4-B — Disk-Level + Controls)Requirements
PerRequired ADR-014,for the followingall L4 fieldsRestricted are protected by disk-level encryption (Railway AES-256) plus application-layer controls rather than field-level encryption. Field-level encryption for these fields is disproportionate: PIB and JIB are publicly searchable on government registries; IBAN is routinely shared for payment.fields:

NationalNational


encryption


Field
Table
Jurisdiction ControlsReason




taxId /(organization registrationNumbertax (PIB)ID: PIB/JIB/OIB)
Contact, Organizationorganizations
RS  Diskbusiness encryption + org-scoping + RBAC + TLSidentifier


taxId /(contact registrationNumbertax (ID: PIB/JMBG/OIB/JIB)
Contact, Organizationcontacts
BA  Diskperson/business encryption + org-scoping + RBAC + TLSidentifier


iban
BankAccountorganizations, contacts, bankAccounts
AllBank account number
totpSecret
Diskusers
2FA +seed org-scoping— +must RBACnot +be TLS + API masking (last 4 digits in list views)readable



Searchability5.2 JWT Token Encryption
L4-AJWTs encrypted fields (JMBG, OIB) cannot be searchedsigned with SQLHMAC-SHA-256 LIKE(HS256) orusing equality. Exact-match lookup uses HMAC hash columns:JWT_SECRET:

StoreJWT_SECRET: a32+ deterministiccharacter random string (CSPRNG), stored in Railway secrets

JWT_REFRESH_SECRET: Separate 32+ character key — never same as JWT_SECRET

Access token payload: { sub: userId, org: organizationId, role, iat, exp }

NO PII in JWT payload — no email, name, tax ID


Refresh tokens stored as HMAC-SHA256SHA-256 hash in database — raw token never stored.

5.3 Password Hashing

jmbgHashimport bcrypt from 'bcrypt';

// oibHashRegistration
column (separate FIELD_HMAC_KEY)
Search is performed on theconst hash column
= Fullawait plaintextbcrypt.hash(plainPassword, is12);

decrypted// onlyLogin whenverification
displayingconst toisValid an= authorizedawait user
bcrypt.compare(plainPassword, 
storedHash);

~~Field~~Storage	~~Table~~Method	~~Jurisdiction~~Key Management	Notes
`jmbg`Cloudflare R2 (~~JMBG)~~receipts, invoice PDFs)	~~Contact~~AES-256 server-side (Cloudflare default)	~~RS, BA~~Cloudflare-managed	~~Serbian/BiH~~EU ~~citizen~~region ~~number~~bucket ~~— irrevocable personal identifier, encodes DOB/gender/region. Stored encrypted +~~ `jmbgHash` ~~HMAC column.~~
`oib` ~~(OIB)~~	~~Contact~~	HR	~~Croatian personal/company tax ID — unique cross-system identifier. Stored encrypted +~~ `oibHash` ~~HMAC column.~~required

Field	Table	~~Jurisdiction~~	~~Controls~~Reason
`taxId` /(organization `registrationNumber`tax ~~(PIB)~~ID: PIB/JIB/OIB)	~~Contact, Organization~~`organizations`	RS	~~Disk~~business ~~encryption + org-scoping + RBAC + TLS~~identifier
`taxId` /(contact `registrationNumber`tax (ID: PIB/JMBG/OIB/JIB)	~~Contact, Organization~~`contacts`	BA	~~Disk~~person/business ~~encryption + org-scoping + RBAC + TLS~~identifier
`iban`	~~BankAccount~~`organizations`, `contacts`, `bankAccounts`	~~All~~Bank account number
`totpSecret`	~~Disk~~`users`	2FA +seed ~~org-scoping~~— +must ~~RBAC~~not +be ~~TLS + API masking (last 4 digits in list views)~~readable

bcrypt parameters: cost factor 12. Never downgrade below 12.

6. PasswordKey HashingManagement Summary

Full policy: key-management-policy.md

as~~hardware improves)bcryptlibrary (16 bytes)~~1~~uppercase, 1 number, 1 special characterAPI~~ —5~~SHA1 hash sent)~~

~~Parameter~~Key Type	~~Value~~Storage	Rotation	Owner
~~Algorithm~~`JWT_SECRET`	~~bcrypt~~Railway environment secret	Quarterly	Security
~~Cost factor~~`JWT_REFRESH_SECRET`	12Railway ~~(adaptable~~environment ~~upward~~secret	Quarterly	Security
~~Salt~~`FIELD_ENCRYPTION_KEY` (tax IDs, IBAN)	~~Automatically~~Railway ~~generated~~environment bysecret	Annual	Security
~~Minimum~~PostgreSQL ~~password~~disk ~~entropy~~encryption	8Railway-managed ~~chars,~~(TDE)	Railway-managed	Railway
~~Breach~~Cloudflare ~~check~~R2 encryption	~~HaveIBeenPwned~~Cloudflare-managed	Cloudflare-managed	Cloudflare
TLS certificates (~~k-anonymity~~Cloudflare)	Cloudflare ~~only~~Certificate ~~first~~Manager	90 ~~chars~~days of(automatic)	Cloudflare

~~Never:~~Secrets never committed to git. ~~Store~~.env ~~plaintext~~files ~~passwords,~~in ~~use~~.gitignore. ~~MD5~~All secrets managed via Railway environment variables (production) or ~~SHA1~~.env.local ~~for~~(development, ~~passwords, use bcrypt cost factor below 10.~~git-ignored).

7. JWTCryptographic SigningInventory

~~(RSA~~+~~SHA-256)— asymmetric~~ ~~RSA,stored in~~ JWT_PRIVATE_KEY inJWT_PUBLIC_KEY~~(for verification)minutes~~ ~~days~~

~~Parameter~~System	~~Value~~Algorithm	Key Size	Mode	Key Location	Next Rotation
~~Algorithm~~PostgreSQL disk (Railway)	~~RS256~~AES-256	256-bit	XTS	Railway-managed	Railway-managed
~~Private~~Tax ~~key~~ID field encryption	~~2048-~~AES-256-GCM	256-bit	GCM	Railway env secret	Annual
~~Public~~IBAN ~~key~~field encryption	~~Stored~~AES-256-GCM	256-bit	GCM	Railway env secret	Annual
~~Access~~Cloudflare ~~token lifetime~~R2	15AES-256	256-bit	—	Cloudflare-managed	Cloudflare-managed
External TLS (Cloudflare)	ECDSA P-256	256-bit	—	Cloudflare	90 days (auto)
JWT signing	HMAC-SHA-256	256-bit	—	Railway env secret	Quarterly
Refresh token ~~lifetime~~signing	7HMAC-SHA-256	256-bit	—	Railway env secret	Quarterly
~~Key~~Password ~~rotation~~hashing	~~Annually or on compromise~~

~~Why RS256 over HS256:~~ ~~RS256 allows future token verification by external services without sharing the signing secret.~~

8. Monetary Data Integrity

~~Financial amounts must never be stored as floating-point types due to rounding errors in financial calculations.~~

~~Parameter~~	~~Standard~~
~~Database type~~bcrypt	`NUMERIC(19,4)` ~~— PostgreSQL exact decimal~~
~~Application type~~cost=12	`Decimal.js` ~~library~~ — ~~not JavaScript~~ `number`
~~Rounding~~	~~Banker's rounding (round half to even)~~
~~Currency storage~~N/A	~~ISO 4217 code (RSD, BAM, EUR) in separate column~~N/A

9.8. KeyFinancial ManagementData SummaryIntegrity

~~Keys~~Financial ~~are~~data ~~managed~~requires ~~per~~not ~~the~~just ~~Key~~confidentiality ~~Management~~but ~~Policy~~also ~~(key-management-policy.md).~~integrity. ~~Encryption~~Bilko ~~keys~~enforces:

~~must~~

NUMERIC(19,4) for all monetary amounts — never ~~be:~~
float
- ~~Committed~~JavaScript tonumber. ~~source~~Prevents ~~code~~rounding ~~repositories~~errors in VAT calculations.
- ~~Logged~~Immutable inLoggedAction ~~application~~table ~~logs~~— all mutations append-only with old/new values. Enables financial audit.
- ~~Sent~~Double-entry ~~over~~enforcement ~~unencrypted~~— ~~channels~~debit = credit validated at backend. Prevents imbalanced entries.
- ~~Stored~~Exchange ~~outside~~rate ~~Railway~~locking ~~environment~~— ~~variables~~rates orstored ~~Vaultwarden~~at transaction date. Historical accuracy preserved.

10.9. ProhibitedException AlgorithmsProcess

Exceptions

permitted IDs, IBAN, TOTP secrets, this

~~Algorithm~~	~~Status~~	~~Reason~~
~~MD5~~	~~PROHIBITED~~	~~Cryptographically broken~~
~~SHA-1~~	~~PROHIBITED for signing/hashing sensitive data~~	~~Collision attacks demonstrated~~
~~DES / 3DES~~	~~PROHIBITED~~	~~Insufficient key length~~
~~RC4~~	~~PROHIBITED~~	~~Multiple vulnerabilities~~
~~RSA with key < 2048 bits~~	~~PROHIBITED~~	~~Insufficient for current threat model~~
~~AES-128~~	~~PERMITTED (~~not ~~preferred)~~	~~AES-256 required for~~for: L4 Restricted data
~~AES-256-CBC~~	~~PERMITTED with caution~~	~~GCM preferred~~ (~~provides~~tax ~~authentication)~~
~~AES-256-GCM~~	password hashes) — no exceptions. ~~REQUIRED~~Exception request process: Submit to: [email protected] Required: system affected, algorithm excepted from, business justification, risk assessment, compensating controls, proposed duration (max 12 months) Approval: CTO Log: `/docs/security/exceptions.md` Review: Quarterly Active exceptions: ~~for~~None L4at ~~fields~~	~~Authenticated encryption~~

time.

Approval
Compliance

Role Name ~~Signature~~Date ~~Date~~Signature

Author ~~CTO~~ Architect 2026-02-23

~~Reviewer (DPO)~~CTO

~~Reviewer (Engineering Lead)~~DPO

~~Approver~~Engineering Lead ~~CEO~~

Role	Name	~~Signature~~Date	~~Date~~Signature
Author	~~CTO~~	Architect	2026-02-23
~~Reviewer (DPO)~~CTO
~~Reviewer (Engineering Lead)~~DPO
~~Approver~~Engineering Lead	~~CEO~~