Security

Security isn’t just a feature — it’s the foundation of any financial system.

Midaz is engineered with security at its core, delivering built-in protections like data integrity enforcement, access control, and fraud prevention. Through strong identity management, fine-grained permissions, and adherence to industry-leading practices, Midaz ensures resilience at every layer.

This page outlines the security architecture Midaz provides by default — and how it helps you run secure, compliant, and robust operations from day one.

Architecture

Midaz was projected to work in a secure structure. In order to create a secure code and architecture, the concept of security by design and threat modeling was used in the conception and still in use for new features.

Security by design: Security controls are embedded throughout the lifecycle — from design to deployment — following OWASP guidelines such as the OWASP Top 10 and OWASP Application Security Verification Standard (ASVS) standards.
Threat Modeling: Structured process used to identify, assess, and mitigate potential security risks in a system before they can be exploited. The methodology used in Midaz is called STRIDE where the threats are categorized in 6 types:
- Spoofing (e.g., fake authentication in a banking API).
- Tampering (e.g., altering transaction data mid-request).
- Repudiation (e.g., lack of audit logs for transactions).
- Information Disclosure (e.g., leaking sensitive data via API responses).
- Denial of Service (e.g., overwhelming the API with fake requests).
- Elevation of Privilege (e.g., exploiting a bug to gain admin access).

Shared responsibility model

Midaz operates under a Managed Service Provider (MSP) model, where security is a shared responsibility between Lerian and the customer.

Figure 2. Security Shared Responsability Model.

What Lerian secures

Lerian is responsible for the application layer. This includes:

Building secure-by-design services.
Proactively addressing vulnerabilities.
Releasing security updates, including dependency upgrades, security patches, and ongoing improvements.

What the customer secures

The customer is responsible for securing the environment where Midaz runs. This includes, but is not limited to, the following layers:

Infrastructure: Harden OS and container images, manage patches, and apply secure configurations on the hosting platform.
Network: Implement segmentation, firewalls, and IDS/IPS systems. Adopt Zero Trust principles to protect internal and external communication.
Database: Set up backups, audit logging, and follow security best practices for data storage.
Identity & Access Management: Control access to the environment and leverage Midaz’s RBAC features to enforce least-privilege policies within the platform.
Encryption: Encrypt sensitive data at rest and in transit. Consider tokenization or anonymization where appropriate.
User Data: All user data stored or processed via Midaz remains fully under the customer’s control and responsibility.
Monitoring: Establish monitoring tools capable of detecting unusual access patterns or suspicious behavior.
Additional Security Layers: Reinforce defenses with Web Application Firewalls (WAF), anti-DDoS mechanisms, and bot mitigation tools.

👍
Tip
Want actionable guidance on this topic? Check out our Security Recommendations in the Installing & Deploying section.

Identity and Access Management

Midaz is designed to support OAuth 2.0 by default, giving customers flexibility to choose how they manage identity and access. You have two options:

Use your own external IAM (Identity and Access Management) solution.
Use Lerian’s native Access Manager Plugin — ideal for customers without an existing IAM system or those looking for a fully integrated experience.

Option 1: External IAM

If you prefer to integrate your own IAM provider, you must ensure it follows modern security practices. To keep Midaz secure, we strongly recommend:

Using proven protocols such as OAuth 2.0 and OpenID Connect.
Requiring Multi-Factor Authentication (MFA).
Applying strong password hashing algorithms, like bcrypt or argon2.
Enforcing fine-grained access controls via RBAC, ABAC, or similar models.
Managing sessions securely, including expiration rules and refresh token policies.
Protecting endpoints from brute-force and replay attacks.
Enabling and reviewing access logs regularly.

Option 2: Access Manager Plugin

Our Access Manager Plugin offers a seamless way to manage authentication and authorization inside Midaz. It’s fully integrated and helps streamline deployment by enabling:

User lifecycle management
Session token handling
Refresh token rotation
Application registration and management

This option simplifies secure access control, while aligning with Midaz's native permission system (RBAC).

Data protection

Midaz enforces double-entry principles by design—every transaction must have balanced debits and credits. If an entry fails this validation, it’s automatically rejected. This not only ensures ledger integrity but also protects the system against race condition vulnerabilities and posting discrepancies.

Built-in safeguards

To maintain consistency and prevent logic errors, Midaz applies strict validation across all transaction flows:

Negative balances are blocked unless explicitly permitted.
Account status is verified before allowing any operation.
Assets must be registered and valid at the time of posting.

These checks reduce risk and ensure that financial operations align with business rules and regulatory expectations.

Compliance with LGPD and GDPR

While Midaz handles transactional validation and secure communication (via TLS 1.2 and 1.3), customers are responsible for protecting personally identifiable information (PII). To stay compliant with LGPD, GDPR, and similar data protection laws, we recommend:

Applying encryption for sensitive data, both at rest and in transit.
Using tokenization or anonymization when appropriate.
Storing and managing customer data under clearly defined security policies.

Data protection isn’t a single layer—it’s a shared commitment. Midaz provides the foundation. You build the safeguards.

Responsible disclosure policy

We believe that transparency builds trust. That’s why all known security improvements and fixes are shared openly in our GitHub Discussions. This allows the community to stay informed about ongoing security patches and enhancements.

If you identify a security vulnerability in Midaz, please report it directly to our team before making it public. We fully support responsible disclosure and are committed to investigating and resolving issues quickly and thoroughly.

🚧
Important
Please refrain from publicly disclosing any findings until we’ve had a chance to review and address them.

The steps to report a vulnerability:

Report: Email us at [email protected].
Acknowledgment: We respond within 24 hours.
Verification: Our team validates the report.
Impact Assessment: We determine the severity and impact.
Resolution: The issue is fixed, and the reporter is notified.
Public Disclosure: We coordinate disclosure with the researcher.

❗️
Attention
Use a PGP Key for secure communications. We prioritize confidentiality and swift resolution of all security reports.