Demiton Logo
Demiton
ISO 27001 Aligned Architecture

Security is our
Operating System.

We do not treat security as a feature. We treat it as infrastructure. Demiton is architected on a "Zero Trust" philosophy, ensuring your banking credentials and transaction payloads never exist in plaintext on a disk.

The Sovereign Standard

Our three non-negotiable pillars of data protection.

Australian Sovereignty

We guarantee Data Residency. All production data, keys, and logs reside exclusively in Google Cloud (Sydney Region).

  • Region: australia-southeast1
  • Backup: australia-southeast2

Military-Grade Encryption

Data is encrypted at rest using AES-256. In transit, we enforce TLS 1.3. For banking handshakes, we utilize strict RSA-4096 key exchange.

  • Envelope Encryption
  • Automated Key Rotation

Hardware Isolation

Banking secrets (Private Keys) are never stored in our application database. They are isolated in hardware-backed Key Management Services (KMS).

  • Azure Key Vault Integration
  • Just-in-Time Access
THE DEMITON IRON LAYER

Protocol Zero:
The "Ram-Disk Enclave"

Traditional integration platforms (iPaaS) often store your file payload on a temporary disk before uploading it to the bank. This creates a "Data at Rest" vulnerability. If that server is compromised, your ABA file is exposed.

Demiton is different. We use a technique called "Pass-by-Value" via Volatile Memory.

  1. Ingestion: Data is pulled from Dynamics 365 directly into an ephemeral RAM buffer.
  2. Transmutation: The JSON data is converted to ABA/BAI2 format and cryptographically signed in memory.
  3. Transmission: The buffer streams directly to the Bank's SFTP server via an encrypted tunnel.
  4. Obliteration: Once the 226 Transfer Complete signal is received, the memory address is zeroed out.

Result: The unencrypted file never touches a hard drive.

ERP Database
State: At Rest (Encrypted)
Volatile RAM Enclave
Payload.Encrypt(RSA_4096)
No Disk I/O Operations
ACTIVE
Bank SFTP Receiver
State: Secure Ingestion

Technical Controls Matrix

A detailed breakdown for your CISO or Risk Officer.

Application SecurityAutomated dependency scanning (Snyk), Static Analysis (SAST), and regular penetration testing.
Access Control (RBAC)Enforced Multi-Factor Authentication (MFA). Role-Based Access Control tied to Azure AD / Entra ID.
Network SecurityVPC Peering, Private Service Connect, and strict Egress allow-listing for Bank IP addresses.
Audit LoggingImmutable logs of every transaction attempt, IP address, and outcome. Logs retained for 7 years in cold storage.
Disaster RecoveryGeo-redundant backups across Sydney and Melbourne zones. RPO: 5 minutes. RTO: 4 hours.

Responsible Disclosure

Security is a community effort. We run a private bug bounty program for researchers. If you have identified a potential vulnerability, please contact security@demiton.io immediately.