Security & Compliance
Security is infrastructure,
not a feature.
Demiton processes sensitive operational and financial data on behalf of civil contractors. We apply the same standard to our own infrastructure that we help our customers apply to theirs.
Certifications & controls
ISO 27001
Aligned architecture - formal certification in progress
Australian Data Residency
All data stored exclusively in Azure Australia East (Sydney)
AES-256 at rest · TLS 1.3 in transit
Envelope encryption with automated key rotation via Azure Key Vault
7-year append-only audit trail
Every read and write traced to a named Entra user. Immutable cold storage.
Hardware-isolated secrets
Integration credentials never stored in the application database. Azure Key Vault only.
Technical controls matrix
For your CISO, risk officer, or procurement team. Detailed whitepaper available on request.
| Authentication | Microsoft Entra ID (OIDC). MFA enforced. Passwordless and SSO options. |
| Authorisation | Role-Based Access Control (RBAC). Every action resolves against the requesting identity before execution. |
| Data in transit | TLS 1.3 enforced on all endpoints. Certificate pinning on adapter connections. |
| Data at rest | AES-256 encryption. Envelope encryption with per-tenant key hierarchy. |
| Credential vaulting | Integration secrets isolated in Azure Key Vault. Just-in-time access. Zero plaintext disk persistence. |
| Network isolation | Azure Virtual Network peering. Private Link for database and storage. Strict egress allow-listing. |
| Audit logging | Append-only logs of every transaction. IP address, outcome, and identity captured. Retained 7 years in cold storage. |
| Disaster recovery | Geo-redundant backups across Sydney and Melbourne. RPO: 5 minutes. RTO: 4 hours. |
| Vulnerability management | Automated dependency scanning (Snyk). Static analysis (SAST). Annual penetration testing. |
| Incident response | 24-hour notification SLA for material incidents. Dedicated security contact at security@demiton.io. |
Ghost Protocol
Sensitive data lives in RAM only.
Traditional integration platforms store data payloads on temporary disks during processing. If that server is compromised, your operational data is exposed.
Demiton processes sensitive data exclusively in volatile memory - pulled from source systems, transformed and signed in-memory, streamed to the target system via an encrypted tunnel, and zeroed out once delivery is confirmed.
Result: Sensitive data never touches a hard drive unencrypted.
Responsible disclosure
We run a private bug bounty program for security researchers. If you have identified a potential vulnerability, contact security@demiton.io immediately. We acknowledge within 24 hours.
Procurement & compliance review
Running a supplier onboarding process? We can provide a detailed security questionnaire response, penetration test summary, or custom data processing agreement.
Request documentation →