Client Type: A mid-sized general insurance company with digital channels for claims submission and policyholder management

Challenge:

• The backend database stored sensitive customer data: ID numbers, contact info, bank account details for claim disbursement

• Customer data was stored in plaintext in some legacy tables, and internal teams had wide read access

• As PDP Law enforcement approached, the company needed a way to encrypt and control data without disrupting core system operations

Key Risks:

• Non-compliance with PDP Law (Indonesia), especially regarding data security and encryption obligations

• Risk of internal misuse or unintentional exposure of policyholder data

• Lack of auditable key management and decryption policies

SEVOLA’s Data Encryption Solution:

• Applied field-level encryption for critical PII fields: KTP, email, phone number, account number, and claim amount

• Integrated a Key Management System (KMS) to control decryption access by department, time, and purpose

• Enabled encryption-at-rest across customer tables using AES-256

• Enforced HTTPS/TLS for API-level communication between mobile app and backend

Result:

• Reduced data exposure surface while keeping system response time stable

• IT Security team gained full visibility into who accessed or decrypted sensitive data

• Internal audit reports flagged the system as PDP-ready, and legal compliance was approved for customer data processing