Demiton Logo
Demiton
Back to Home

Privacy Policy

Effective Date: 12 December 2025

Executive Summary: Demiton provides Sovereign Financial Infrastructure. We process sensitive banking and ERP data. We treat this data as your asset. We do not sell data. We do not use customer financial data to train public AI models.

1. Introduction

This Privacy Policy explains how Demiton ("we," "us," or "our") collects, uses, and protects information when you use our Banking Mesh platform. We operate as a Data Processor; you (the Customer) retain the role of Data Controller.

2. Data Collection

We collect specific categories of data to facilitate financial orchestration:

  • Identity Data: Name, email address, and role of authorized users within your workspace.
  • Financial Payloads: Payment files (ABA, ISO20022) and reconciliation files (BAI2) transmitted between your ERP and Bank. Note: These are typically processed in-memory and encrypted at rest.
  • Infrastructure Secrets: SSH Keys, API Keys, and PGP Keys required to authenticate with Banking Host-to-Host services.
  • Telemetry: Technical logs regarding API performance, file transmission success/failure, and system health.

3. Usage of Data

We use your data solely for the purpose of providing the Service:

  • Orchestration: To translate, encrypt, and transmit financial instructions between your ERP and your Bank.
  • Audit & Governance: To create an immutable log of file transmissions for your internal compliance (ISO 27001).
  • Support: To diagnose connectivity issues with banking gateways (e.g., Westpac iLink, CBA CommBiz).

4. Data Sharing

We do not sell your personal information or Customer Data. We share information only in these operational contexts:

  • Banking Institutions: We transmit payment instructions to your nominated banks (e.g., CBA, NAB) at your explicit direction.
  • Implementation Partners: If you are managed by a certified Demiton Partner (e.g., Fusion5, Dialog), they may have access to your configuration logs to provide support.
  • Infrastructure Providers: We use Google Cloud Platform (GCP) for hosting. Data remains encrypted and they do not have access to plain-text payloads.

5. Security Measures

We implement defense-in-depth security architecture designed for financial services:

  • Zero-Knowledge Auth: We authenticate with banks using cryptographic keys, not shared passwords.
  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3 / SFTP).
  • Access Control: Internal access to production environments is restricted via Just-In-Time (JIT) access and multi-factor authentication.

6. Data Sovereignty

Australian Residency

Unless explicitly configured for a multi-region deployment, all Customer Data persistence occurs exclusively within the Australia Southeast (Sydney) region to comply with Australian data sovereignty requirements.

7. Contact Us

For privacy inquiries, Data Subject Access Requests (DSAR), or to report a security concern, please contact our Data Protection Officer:

Email: privacy@demiton.io
Address: Demiton Pty Ltd, Brisbane, QLD, Australia.

© 2026 Demiton Pty Ltd. Sovereign Financial Infrastructure.