Customer email addresses are considered personally identifiable information (PII), content that could potentially distinguish or identify a specific individual. You can use encryption to ensure the security of customer email addresses used for notifications and requests. To encrypt the email addresses, you must add information detailed in the following sections to Post-Interaction Email (PIE) feeds or to transactions.

Bazaarvoice email encryption is based on the RSA algorithm (4096-bit key). RSA pairs a public key to encrypt data and a private key to decrypt data. Bazaarvoice makes a shared public key available for clients, and maintains a private key.

Accessing public encryption keys

Bazaarvoice issues separate public keys for both staging and production environments, which cannot be used interchangeably.

Bazaarvoice strongly recommends that you obtain a new public key programmatically when you encrypt email addresses. Bazaarvoice changes the public and private keys regularly, and will change keys immediately if they are compromised. Older keys will continue to work, although you might receive a warning since retrieving new keys helps your company maintain the highest level of security.

For production, you can find the most up-to-date public key at the following URL:

For staging, you can find the most up-to-date public key at the following URL:

The JSON response at the above URLs contains the public encryption key and its associated encryption key ID. You must include the encryptionKeyId string when sending encrypted email addresses to Bazaarvoice.

The following example shows a public key and encryptionKeyId.

Encrypting email addresses for maintenance-free PIE

If you are using maintenance-free PIE with BV Pixel, include the encryption key ID and encrypted email with other PIE interaction parameters. Use the following parameters:

  • encryptedEmail—Use this parameter instead of email for customer email addresses.
  • encryptionKeyId—Include the encryptionKeyId string located under the public key string.

Bazaarvoice recommends the following practices when encrypting email addresses for maintenance-free PIE:

  • Encrypt email addresses via a server-side operation.
  • Retrieve the public key programmatically at least once every day for optimal security.
  • Retrieve the key no more than once per hour for optimal performance.
  • Store the public key within your system for error-handling resilience.

Example: Encrypted email address data in code

The following example shows the way an encrypted email address and encryption key ID would look in transaction code.

  "orderId" : "55555",
  "tax" : "1.44",
  "shipping" : "10.00",
  "total" : "40.84",
  "city" : "Austin",
  "state" : "TX",
  "country" : "USA",
  "currency" : "USD",
  "items" : [
              "sku" : "2245",
              "name" : "product name",
              "category" : "category name",
              "price" : "13.42",
              "quantity" : "1",
              "imageURL" : ""
              "sku" : "2246",
              "name" : "product name2",
              "imageURL" : ""
  "encryptedEmail" : "70c7dd458232284dd1720a29835fd4aa7afce99f2c587d3db43d19a54375b8afcdcca96206c6b3f99df8f058d1

  "encryptionKeyId" : "ENCRYPTION-KEY-ID-2016-07-15T21:17:55.208Z",
  "locale" : "en_US"

Encrypting email addresses for feed-based PIE

If you are using feed-based PIE, add the following information to your XML feed:

  • <EncryptedEmailAddress>—Use this element instead of <EmailAddress> for customer email addresses.
  • encryptionKeyID—Include the encryptionKeyID string located under the public key string as an attribute of the root <Feed> tag.

Bazaarvoice recommends the following best practices:

  • For security considerations, programmatically retrieve the public key at least once every day.
  • For performance considerations, retrieve the key no more than once per hour.
  • For error-handling resilience, store the public key within your system.

Example: Encrypted email address data in XML feed for PIE

The following example shows the way an encrypted email address and encryption key ID would look in a PIE feed.

<Feed xmlns="" encryptionKeyID="ENCRYPTION-KEY-ID-2016-07-15T21:17:55.208Z">
                <Name>Product 1</Name>