Encrypted by Default
All personally identifiable information is encrypted at rest as the baseline, not as a premium add-on.
Three Layers of Protection
Chobble Tickets uses a multi-layered encryption approach:
- Hybrid RSA-OAEP + AES-256-GCM for attendee PII (names, emails, phone numbers, addresses)
- AES-256-GCM for payment identifiers, pricing data, check-in records, and API credentials
- PBKDF2 with 600,000 iterations and SHA-256 for password hashing
A three-layer key hierarchy protects your data: an environment variable root key, an RSA key pair, and per-user wrapped data keys. Even if someone gains access to the database, they can't read your attendees' personal information without the encryption keys, and a lost password means permanently unreadable data because there is no backdoor.
Additional Security Measures
Beyond encryption at rest, the platform includes CSRF protection with 256-bit random tokens, rate limiting on login attempts (5 failed attempts trigger a 15-minute IP lockout), constant-time password comparison, Content-Type validation on all POST endpoints, and session tokens with 24-hour expiry using HttpOnly cookies.
Read the full cryptography documentation for implementation details.