Skip to main content
Lerian SISBAJUD runs against the operational realities of judicial asset blocking: orders that must be fulfilled and reported per institution, permanent orders that re-attempt for weeks, personal data that must never sit in plaintext, and a legal obligation to prove what happened. It manages each under per-institution isolation.

Per-institution isolation


Lerian SISBAJUD is multi-tenant, with institution_id equal to the tenant. Each institution’s orders, files, credentials, and encryption keys are isolated; one deployment serves many institutions with no cross-institution visibility.

Reconciliation


Reconciliation runs at the grain of one monitoring or judicial order against a ledger balance snapshot. A scheduled scan compares outstanding orders to the ledger and recovers any gaps; an operator can also fire a manual reconciliation on demand. Monitoring orders that have passed their ceiling or deadline are swept closed so nothing lingers in monitoring past its legal life.

Permanent-block cadence


Permanent orders re-attempt the block daily and business-day aware, bounded by the CNJ 60-day reiteration ceiling or the order’s determined deadline. Reattempts are also woken by ledger balance-change events, so a deposit that lands between daily cycles is captured promptly rather than waiting for the next scheduled pass.

Credentials and key rotation


Two things rotate per institution, both administrative:
  • Connector credentials — the credentials Lerian SISBAJUD uses to reach the ledger and the file-exchange channel — can be registered and rotated.
  • The master encryption key (KEK) can be rotated; a rotation emits a key-rotated event. The per-record data key (DEK) sits under the master key, so rotating the master key re-seals data keys without re-encrypting every field.

Data protection


Personal data is protected at rest by design:
  • Envelope encryption. Each record has its own data key, sealed under the institution’s master key, with AES-256-GCM and per-field additional authenticated data — so a ciphertext cannot be swapped between fields or records.
  • Searchable tokenization. A blind index enables exact-match lookup on fiscal identifiers (CPF/CNPJ) and the process number without decryption; free text and monetary values are encrypted only, never tokenized.
  • Tamper-evident audit trail. Every state change is appended to a gap-free, cryptographically protected log — per-event authentication codes bind each entry to its position, and Merkle leaf hashes let the trail be verified without decrypting any payload.
  • LGPD. Subject-access requests export a data subject’s held data; erasure is honoured by crypto-erasure — destroying the record’s key so its ciphertext is irrecoverable while the audit record of the change survives.

Contingency


Failed orders are driven to a FAILED terminal state rather than left stuck in processing, and an operator can reprocess them. SLA-status and processing-statistics views expose where orders stand. Connector resolution fails closed: if the integration cannot safely resolve an account or a credential, it refuses the operation rather than acting on an ambiguous target.

Administrative API


Because orders arrive only by file, the HTTP surface submits no orders — it is administrative and observational. It lets an operator:
  • list orders and files, and read the detail of a single order or file;
  • reprocess failed orders;
  • run and list reconciliation;
  • view SLA status and processing statistics;
  • verify the audit trail;
  • handle LGPD requests — create and resolve them, run an erasure, and export a subject’s data;
  • register non-compliance justifications; and
  • configure the institution and register or rotate connector credentials.