Context
PII data (email, phone, address, bank account info) stored in plaintext in the database is vulnerable to data breaches.
Current Limitation/Problem
Sensitive merchant and user data is stored in plaintext columns. A database breach exposes all PII. Current encryption is at-rest only (disk level).
Expected Outcome
Column-level AES-256-GCM encryption for PII fields with separate encryption keys per tenant, key rotation, and minimal performance impact.
Acceptance Criteria
- Identify PII columns: email, phone, address, bank_account, tax_id, ip_address
- Implement transparent encryption/decryption at the Prisma middleware layer
- AES-256-GCM with random IV per value
- Tenant-specific encryption keys (envelope encryption with master key)
- Key rotation with re-encryption support
- Searchable encrypted fields via deterministic encryption for exact matches (email lookup)
- Performance: encryption adds <5ms per operation
- Audit log for all decryption operations
- Compliance: GDPR, CCPA, SOC2 readiness
Technical Scope
backend/src/encryption/ - encryption servicebackend/src/encryption/column-encryptor.ts - transparent encrypt/decrypt- Prisma middleware for automatic encryption/decryption
- AWS KMS or HashiCorp Vault for master key management
- Prisma:
@@encrypted schema extensions
- Edge cases: encrypted column search, key rotation during transactions, backup decryption
Context
PII data (email, phone, address, bank account info) stored in plaintext in the database is vulnerable to data breaches.
Current Limitation/Problem
Sensitive merchant and user data is stored in plaintext columns. A database breach exposes all PII. Current encryption is at-rest only (disk level).
Expected Outcome
Column-level AES-256-GCM encryption for PII fields with separate encryption keys per tenant, key rotation, and minimal performance impact.
Acceptance Criteria
Technical Scope
backend/src/encryption/- encryption servicebackend/src/encryption/column-encryptor.ts- transparent encrypt/decrypt@@encryptedschema extensions