Skip to main content
All CollectionsGetting StartedFeatures Explained
SafePII: How Notabene encrypts end-user PII
SafePII: How Notabene encrypts end-user PII

Notabene platform lets VASPs share encrypted PII with counterparties and manage their own encryption keys

M
Written by Michele Marrali
Updated over a year ago

Intro

Notabene provides three encrypted Escrowed PII transmission methods with our protocol agnostic SafePII service that leverages state-of-the-art cryptography to secure PII data. Every piece of PII data is individually encrypted and stored in a secure, limited-access datastore.

Encryption keys are, by default, managed by VASPs themselves. Still, VASPs can elect to utilize our key management infrastructure for some or all aspects of their service, similar to how VASPs use a combination of local hot wallets and custodial wallet API services today. Unlike wallet API services, our SafePII service is explicitly designed around data encryption.

Regardless of how VASPs choose to use our SafePII service in the future, it is a considerable step up in data security over building your own service to integrate with an existing Travel Rule protocol. It also signals to counterparty exchanges that you take the data protection duties of implementing the Travel Rule very seriously.

Encryption Standard

This link outlines the recommended encryptions defined in the DIDComm Messaging standard.

The following are used in Notabene's SafePII escrow flow:

  • AES256 for content encryption

  • X25519 for key wrapping

  • Es256k for signatures

How does Notabene’s SafePII service work?

Based on their needs, VASPs can choose between three different options:

1 - End-to-End

SafePII brings the most security, as the Originating VASP encrypts PII data so that only they and the Beneficiary VASP can decrypt it.

In this flow, PII data traveling across the ether will be encrypted, meaning Notabene will never have access to the contents. Even in a hacking case or a leak, the attackers will not be able to decrypt the PII data because it’s simply cryptographically “impossible” – unless they can figure out the decryption key, which is only known by either of the VASPs.

2 - Hosted

During the Hosted SafePII flow, Notabene encrypts all raw Travel Rule transfer data created through our easy-to-use restful API without worrying about local key management. Each VASP has a dedicated encryption key managed by Notabene’s PII service and can be rotated on demand.

Our current API customers will receive the benefits of our new Safe PII flow and automatically be migrated to this without any changes needing to be done. The Hosted flow is particularly useful for VASPs using hosted/white-labeled exchange software and/or VASPs that don’t feel comfortable managing encryption keys by themselves.

3 - Hybrid

The Hybrid Escrow PII mode extends the End-to-End flow, where the Originator VASP further encrypts the PII data selectively using their dedicated Notabene-managed encryption key, allowing Notabene to decrypt the PII (or parts of the PII data) for in-flow pre-transaction name sanction screening.

Did this answer your question?