Guides
Start typing to search…

Security

Suggest Edits

Security isn’t just a feature—it’s the foundation of financial systems. Midaz is engineered with integrity, transparency, and control in mind. To reduce exposure and prevent data leaks, we strongly recommend deploying Midaz within a secure, private network (intranet), not exposed to the public internet.

Midaz doesn’t include built-in identity, access management, or audit trails. These capabilities are available through optional paid plugins, which can be added as needed. This keeps the core system focused on reliable, high-integrity transaction processing—while giving teams flexibility to extend functionality based on their architecture and security needs.


Identity and Access Management (Optional Plugin)

Access and identity management can be added to Midaz via an optional plugin, the Access Manager. This module separates identity management (who’s logging in) from authorization (what they’re allowed to do), enforcing the principle of least privilege.

Identity Management

When using the plugin, authentication and user profiles are handled in one place. Features include:

  • Secure login flows and account provisioning
  • User account creation and management
  • Role-Based Access Control (RBAC) using groups
  • Action-level permission assignments across plugin endpoints
  • Machine-to-Machine (M2M) credentials for service integrations

Authorization

  • Authentication and authorization for both users and M2M credentials
  • Refresh tokens for session continuity
  • Automatic token expiration for added security

⚠️

Important

Midaz does not enforce any authorization rules on its own. Without the access management plugin or an external integration, anyone with network access could potentially trigger API calls. Keep your deployment isolated on a secure intranet.


Ensuring Data Integrity in Financial Transactions

Financial systems demand precision. Midaz enforces strict measures to ensure every transaction is accurate, traceable, and compliant.

Double-Entry Integrity

Midaz follows a double-entry model, guaranteeing that debits match credits. Unbalanced transactions are automatically rejected to prevent inconsistencies.

Append-Only Ledger

Ledgers are immutable. Changes can only be made through new transactions—not by editing existing records—ensuring full traceability and regulatory alignment.

🚧

Audit trails

Full traceability and audit logs are available via an optional Audit Trail plugin that is still under development. In the future, this module will record every action with timestamps and metadata, enabling in-depth monitoring and compliance support.

Consistent Use of Transactions

Midaz enforces transaction-based updates. Even admin changes must go through transaction APIs to maintain an accurate audit trail.

Data Validation

Built-in safeguards prevent invalid states—like negative balances or nonexistent assets—unless explicitly allowed. This helps align business logic with financial rules.


Securing Transactions and Preventing Fraud

Midaz helps protect your platform from fraud and misuse. Here’s how to layer your defenses.

Approval Workflows

Use maker-checker patterns to require dual approval for sensitive operations. Each action is logged, including who initiated it and when.

Monitoring and Alerts

Midaz logs every operation. Use these logs to build alerts for:

  • Unusual transaction volumes
  • Failed login attempts
  • After-hours activity

Secure API Usage

All API calls must be encrypted (HTTPS). Use secure tokens with scoped access, and never hardcode secrets in client apps.

Data Encryption

Protect all data in transit and at rest. Regular encrypted backups help ensure business continuity.

Regular Audits

Security is an ongoing process. Schedule regular reviews, updates, and penetration tests to stay ahead of threats.

Fraud Response Plan

If something goes wrong, Midaz’s logs and immutable structure help you act fast:

  • Freeze affected accounts
  • Trace unauthorized activity
  • Lock impacted portfolios

Recommendations for Secure Deployments

To keep your Midaz setup secure, follow these best practices:

1. Keep It on the Intranet

Never expose Midaz directly to the internet. Host it on a secure, private network to prevent unauthorized access.

2. Secure Configuration Management

  • Avoid hardcoded secrets.
  • Use secure tools like HashiCorp Vault for secret management.

3. Apply Updates Promptly

Keep Midaz and its dependencies up to date to patch security vulnerabilities.

4. Protect Authentication and Authorization

If using the plugin or an external identity provider, ensure their configuration is reviewed regularly.


Responsible Disclosure Policy

Security is a shared effort. If you discover a vulnerability, please let us know.

  1. Report: Email us at security@lerian.studio.
  2. Acknowledgment: We respond within 24 hours.
  3. Verification: Our team validates the report.
  4. Impact Assessment: We assess severity and risk.
  5. Resolution: We fix the issue and notify you.
  6. Public Disclosure: We coordinate with you for safe disclosure.

🚧

Use a PGP Key for secure communications.

We prioritize confidentiality and fast resolution of all reports.

Updated 11 days ago

Did this page help you?