Encryption & Data Security
CRYMBO's architecture is built on an encryption-first principle. No PII is ever stored on-chain, transmitted in plaintext, or accessible to unauthorized parties. Every identity exchange, compliance check, and data access event is protected by multiple layers of cryptographic security.
Core Principles
- No PII on-chain — Only cryptographic attestations are published to blockchains
- End-to-end encryption — PII is encrypted from sender to recipient; CRYMBO infrastructure cannot access it
- Zero-knowledge proofs — Selective disclosure enables compliance verification without data exposure
- Key sovereignty — Institutions control their own encryption keys; CRYMBO never holds private keys
- Audit without exposure — Compliance can be verified without revealing underlying identity data
Security Layers
| Layer | Protection |
|---|---|
| Transport | TLS 1.3 for all API and webhook communications |
| Application | AES-256 encryption for data at rest |
| Identity Exchange | RSA-OAEP or ECIES for PII encryption between counterparties |
| On-Chain | Cryptographic attestations — hashes and signatures only |
| Access Control | Role-based, jurisdiction-scoped, and audit-logged |