Security

DMM ensures secure data handling throughout the migration process.

No Intermediate Storage

Data is never stored at any intermediate location during migration. The DMM process runs entirely within the customer’s OutSystems infrastructure, inside their security perimeter. It reads data in chunks from the source environment and writes it directly into the destination environment's database. As a result, there is no need to secure temporary storage or external processing services — eliminating a major security concern.

Transport Layer Security with HTTPS

DMM uses HTTPS for REST API calls between the DMM modules in the Source and Destination OutSystems environments. HTTPS provides robust Transport Layer Security (TLS), which ensures:

• Encryption: All data in transit is encrypted.

• Integrity: Ensures data has not been modified or tampered with.

• Authentication: Confirms the identity of the communicating server.

Application-Level Security with an REST API Key

Beyond HTTPS, DMM also uses an application-level api key to secure communication between source and destination environments. This key is:

• Defined in the module and required by the API caller (destination DMM module).

• A mechanism to authenticate the caller, ensuring only trusted sources can initiate migrations.

Optional Data Anonymization

If you configure data anonymization for specific attributes in your business entities, DMM will exclude those fields entirely from the read process — the data is not retrieved from the source database at all. This allows you to further reduce exposure of sensitive data during migrations.

Secure Access

DMM guarantees security access by using the OutSystems platform security mechanisms – only users authenticated on the OutSystems platform can access the component.

Additionally, DMM controls the access to the user interface through 2 different roles that must be explicitly configured in the OutSystems platform in order to operate/access DMM. If users do not have any of those roles, even if they are authenticated in OutSystems, they cannot access DMM pages.

One role is a full user, capable of accessing and executing all features of DMM. The other role has limited access and can only execute (launch) pre-configured operations in DMM, so it cannot change the operations’ configurations.

Data Access

DMM is deployed in the client’s OutSystems infrastructure, therefore it executes within the client’s security perimeter. DMM never sends or shares with Infosistema information about user business data.

DMM never sends any business information (your data) to our subscription server. Subscription validation is always made through HTTPS, standard TLS port 443.

DMM will for example send information to the subscription control server on what features your subscription key is being asked to execute and information about the volume of an execution the tool is performing (this enables DMM to validate that your subscription has access to the features you are trying to execute, or validate the subscription tier volume you have subscribed to). DMM collects usage history and statistics and sends it to the subscription control server - never business data (never your data). 

Best Practices

DMM is developed and installed on the OutSystems platform, which follows the best practices related to security (like OWASP) and privacy.

See more information in https://www.outsystems.com/security/