Credential Management
Encryption at Rest
All integration credentials are encrypted using AES-256-GCM:
- 256-bit encryption keys
- Unique IV (Initialization Vector) per credential
- Authentication tag prevents tampering
Key Management
- Encryption keys stored in environment variables
- Keys never logged or exposed in errors
- Key rotation supported via key versioning
Authentication Methods
| Integration | Method | Details |
|---|---|---|
| QuickBooks | OAuth 2.0 | Short-lived tokens (1 hour), auto-refresh |
| NetSuite | OAuth 1.0a + TBA | HMAC-SHA256, tokens never expire |
| SAP B1 | Session-based | 30-min timeout, auto-reconnect |
| SAP S/4HANA | Basic + CSRF | Communication arrangements |
Data Protection
In Transit
- All API calls use TLS 1.2+
- Certificate validation enforced
- No sensitive data in URLs
Audit Logging
Every integration operation is logged:
- Operation type and timestamp
- Entity type and ID
- Success/failure status
- Sensitive data redacted
Retention Periods
Webhook events90 days
Sync logs7 years
CredentialsUntil disconnected
Access Control
Row-Level Security (RLS)
All integration tables use Postgres RLS:
- Users can only see their organization's data
- Credentials accessible only via service role
- Admin role required for configuration
SOC 2 Alignment
| Trust Principle | Control | Implementation |
|---|---|---|
| Security | Access control | RLS, role checks |
| Encryption | AES-256-GCM | |
| Logging | Full audit trail | |
| Availability | Redundancy | Vercel edge network |
| Retry logic | Exponential backoff | |
| Confidentiality | Classification | Credentials = sensitive |
| Access logging | All credential access logged |
Suspect Credential Compromise?
Take these steps immediately:
- Disconnect the integration in Demurly
- Revoke tokens in the provider's system
- Contact support@demurly.com
- Reconnect with fresh credentials
Compliance Considerations
GDPR
- Integration data tied to organization
- Deletion cascades to all integration data
- Data export includes integration configs
PCI DSS
- No payment card data stored
- Stripe handles all card processing
- Integration credentials ≠ payment credentials
Security Contacts
Security issues: security@demurly.com
General support: support@demurly.com