Open app

Security overview

Demerzel sits close to your infrastructure, so it is built to earn that trust rather than assume it. This page is the short tour; each area links to the detail.

The principles

  • Collect little. The agent reports operational metadata, never secrets or file contents. It is read-only, outbound-only, and runs a fixed set of collectors — see Data privacy & scope.
  • Isolate strictly. Every request is scoped to one organization. There is no shared view of data across tenants — see Tenant isolation.
  • Encrypt in transit. Everything moves over HTTPS. Agents authenticate with a per-agent certificate (mTLS); there are no shared API keys sitting on your servers.
  • No passwords to leak. Demerzel is passwordless — there is no password database to breach. See Access & authentication.
  • Record everything. Who did what, when, and from where is captured in an append-only audit trail — see Access & authentication.
  • Let you leave. Your data is yours. You can delete an organization and all its data permanently, at any time — see Your data: ownership & deletion.

Defense in depth

No single control is load-bearing. The agent minimizes what it can even send; the platform isolates what it stores; access is gated by roles; and every action is audited. A weakness in one layer does not expose your data through another.

Demerzel is a managed SaaS. You run only the lightweight agent on your own servers; everything else — storage, processing, the web app — is operated by us, so you inherit these protections without maintaining them.

Questions we’re happy to answer

Your data is hosted in Canada (OVHcloud, Beauharnois) with no third-party sub-processors for your monitoring data. For the full picture — residency, certifications and a DPA — see Data residency & compliance.