Per-institution isolation
Lerian SISBAJUD is multi-tenant, with
institution_id equal to the tenant. Each institution’s orders, files, credentials, and encryption keys are isolated; one deployment serves many institutions with no cross-institution visibility.
Reconciliation
Reconciliation runs at the grain of one monitoring or judicial order against a ledger balance snapshot. A scheduled scan compares outstanding orders to the ledger and recovers any gaps; an operator can also fire a manual reconciliation on demand. Monitoring orders that have passed their ceiling or deadline are swept closed so nothing lingers in monitoring past its legal life.
Permanent-block cadence
Permanent orders re-attempt the block daily and business-day aware, bounded by the CNJ 60-day reiteration ceiling or the order’s determined deadline. Reattempts are also woken by ledger balance-change events, so a deposit that lands between daily cycles is captured promptly rather than waiting for the next scheduled pass.
Credentials and key rotation
Two things rotate per institution, both administrative:
- Connector credentials — the credentials Lerian SISBAJUD uses to reach the ledger and the file-exchange channel — can be registered and rotated.
- The master encryption key (KEK) can be rotated; a rotation emits a key-rotated event. The per-record data key (DEK) sits under the master key, so rotating the master key re-seals data keys without re-encrypting every field.
Data protection
Personal data is protected at rest by design:
- Envelope encryption. Each record has its own data key, sealed under the institution’s master key, with AES-256-GCM and per-field additional authenticated data — so a ciphertext cannot be swapped between fields or records.
- Searchable tokenization. A blind index enables exact-match lookup on fiscal identifiers (CPF/CNPJ) and the process number without decryption; free text and monetary values are encrypted only, never tokenized.
- Tamper-evident audit trail. Every state change is appended to a gap-free, cryptographically protected log — per-event authentication codes bind each entry to its position, and Merkle leaf hashes let the trail be verified without decrypting any payload.
- LGPD. Subject-access requests export a data subject’s held data; erasure is honoured by crypto-erasure — destroying the record’s key so its ciphertext is irrecoverable while the audit record of the change survives.
Contingency
Failed orders are driven to a FAILED terminal state rather than left stuck in processing, and an operator can reprocess them. SLA-status and processing-statistics views expose where orders stand. Connector resolution fails closed: if the integration cannot safely resolve an account or a credential, it refuses the operation rather than acting on an ambiguous target.
Administrative API
Because orders arrive only by file, the HTTP surface submits no orders — it is administrative and observational. It lets an operator:
- list orders and files, and read the detail of a single order or file;
- reprocess failed orders;
- run and list reconciliation;
- view SLA status and processing statistics;
- verify the audit trail;
- handle LGPD requests — create and resolve them, run an erasure, and export a subject’s data;
- register non-compliance justifications; and
- configure the institution and register or rotate connector credentials.

