Skip to main content
Security isn’t just a feature. It’s the foundation of any financial system. Midaz is engineered with security at its core, delivering built-in protections like data integrity enforcement, access control, and fraud prevention. Through strong identity management, fine-grained permissions, and adherence to industry-leading practices, Midaz ensures resilience at every layer. This page outlines the security architecture Midaz provides by default — and how it helps you run secure, compliant, and robust operations from day one.

Architecture

Midaz was designed to work in a secure structure. To create secure code and architecture, the concepts of security by design and threat modeling were used from the start and are still applied to every new feature.
  • Security by design: Security controls are embedded throughout the lifecycle — from design to deployment — following OWASP guidelines such as the OWASP Top 10 and OWASP Application Security Verification Standard (ASVS) standards.
  • Threat Modeling: Structured process used to identify, assess, and mitigate potential security risks in a system before they can be exploited. The methodology used in Midaz is called STRIDE where the threats are categorized in 6 types:
    • Spoofing (e.g., fake authentication in a banking API).
    • Tampering (e.g., altering transaction data mid-request).
    • Repudiation (e.g., lack of audit logs for transactions).
    • Information Disclosure (e.g., leaking sensitive data via API responses).
    • Denial of Service (e.g., overwhelming the API with fake requests).
    • Elevation of Privilege (e.g., exploiting a bug to gain admin access).

Shared responsibility model

Security is a shared responsibility between Lerian and the customer. The exact split depends on your deployment model.
Midaz Shared Responsibility Jp

In the BYOC model

In BYOC (Bring Your Own Cloud), you deploy Lerian in your own infrastructure. Lerian secures the application layer. You secure the environment. What Lerian secures:
  • Building secure-by-design services.
  • Proactively addressing vulnerabilities.
  • Releasing security updates, including dependency upgrades, security patches, and ongoing improvements.
What the customer secures:
  • Infrastructure: Harden OS and container images, manage patches, and apply secure configurations on the hosting platform.
  • Network: Implement segmentation, firewalls, and IDS/IPS systems. Adopt Zero Trust principles to protect internal and external communication.
  • Database: Set up backups, audit logging, and follow security best practices for data storage.
  • Identity & Access Management: Control access to the environment and leverage Midaz’s RBAC features to enforce least-privilege policies within the platform.
  • Encryption: Encrypt sensitive data at rest and in transit. Consider tokenization or anonymization where appropriate.
  • User Data: All user data stored or processed via Midaz remains fully under the customer’s control and responsibility.
  • Monitoring: Establish monitoring tools capable of detecting unusual access patterns or suspicious behavior.
  • Additional Security Layers: Reinforce defenses with Web Application Firewalls (WAF), anti-DDoS mechanisms, and bot mitigation tools.

In the SaaS model

In SaaS, Lerian manages the full infrastructure. The security responsibility shifts — Lerian takes on significantly more. What Lerian secures:
  • Everything in the BYOC application layer, plus:
  • Cloud infrastructure, networking, and compute environment.
  • Database provisioning, encryption at rest, and automated backups.
  • OS and container patching.
  • Monitoring, alerting, and incident response.
  • High availability and disaster recovery.
What the customer secures:
  • Business-level access control: Manage users, roles, and permissions within the platform.
  • API integration security: Secure the communication between your systems and the Lerian APIs.
  • User Data governance: Define and enforce data handling policies that meet your regulatory obligations.
  • Compliance: Ensure your use of the platform aligns with your institution’s regulatory requirements.
Want actionable guidance on this topic? Check out our Security Recommendations in the Installing & Deploying section.

Identity and Access Management

Midaz is designed to support OAuth 2.0 by default, giving customers flexibility to choose how they manage identity and access. You have two options:
  • Use your own external IAM (Identity and Access Management) solution.
  • Use Lerian’s native Access Manager Plugin — ideal for customers without an existing IAM system or those looking for a fully integrated experience.

Option 1: External IAM

If you prefer to integrate your own IAM provider, you must ensure it follows modern security practices. To keep Midaz secure, we strongly recommend:
  • Using proven protocols such as OAuth 2.0 and OpenID Connect.
  • Requiring Multi-Factor Authentication (MFA).
  • Applying strong password hashing algorithms, like bcrypt or argon2.
  • Enforcing fine-grained access controls via RBAC, ABAC, or similar models.
  • Managing sessions securely, including expiration rules and refresh token policies.
  • Protecting endpoints from brute-force and replay attacks.
  • Enabling and reviewing access logs regularly.

Option 2: Access Manager Plugin

Our Access Manager Plugin offers a seamless way to manage authentication and authorization inside Midaz. It’s fully integrated and helps streamline deployment by enabling:
  • User lifecycle management
  • Session token handling
  • Refresh token rotation
  • Application registration and management
This option simplifies secure access control while aligning with Midaz’s native permission system (RBAC).

Data protection

Midaz enforces double-entry principles by design—every transaction must have balanced debits and credits. If an entry fails this validation, it’s automatically rejected. This not only ensures ledger integrity but also protects the system against race condition vulnerabilities and posting discrepancies.

Built-in safeguards

To maintain consistency and prevent logic errors, Midaz applies strict validation across all transaction flows:
  • Negative balances are blocked unless explicitly permitted.
  • Account status is verified before allowing any operation.
  • Assets must be registered and valid at the time of posting.
These checks reduce risk and ensure that financial operations align with business rules and regulatory expectations.

Compliance with LGPD and GDPR

While Midaz handles transactional validation and secure communication (via TLS 1.2 and 1.3), customers are responsible for protecting personally identifiable information (PII). To stay compliant with LGPD, GDPR, and similar data protection laws, we recommend:
  • Applying encryption for sensitive data, both at rest and in transit.
  • Using tokenization or anonymization when appropriate.
  • Storing and managing customer data under clearly defined security policies.
Data protection isn’t a single layer—it’s a shared commitment. Midaz provides the foundation. You build the safeguards.

Responsible disclosure policy

We believe that transparency builds trust. That’s why all known security improvements and fixes are shared openly in our GitHub Discussions. This allows the community to stay informed about ongoing security patches and enhancements. If you identify a security vulnerability in Midaz, please report it directly to our team before making it public. We fully support responsible disclosure and are committed to investigating and resolving issues quickly and thoroughly.
Please refrain from publicly disclosing any findings until we’ve had a chance to review and address them.
The steps to report a vulnerability:
1

Report

Email us at security@lerian.studio.
2

Acknowledgment

We respond within 24 hours.
3

Verification

Our team validates the report.
4

Impact Assessment

We determine the severity and impact.
5

Resolution

The issue is fixed, and the reporter is notified.
6

Public Disclosure

We coordinate disclosure with the researcher.
Use a PGP Key for secure communications. We prioritize confidentiality and swift resolution of all security reports.