Security your auditors will trust.

CATAMA DMS protects your data with cryptographic standards, complete audit logs, and well-thought-out defense in depth – not as an add-on, but by design.

SHA-256 integrity per version

Every file and every new version is fingerprinted with a SHA-256 hash. You can prove at any time that the document hasn't been altered since upload – essential for GoBD and HGB.

  • Hash on upload and every new version
  • Duplicate detection across identical hashes
  • Verify on demand inside the UI

Audit log with context

Every action – upload, preview, download, delete, permission change, signature request – is logged.

  • User, timestamp, resource, action
  • IP address and user agent
  • Branch (branch_id) for multi-tenant setups
  • Filterable by date, user, action

Cryptographic audit chain

For e-signatures, every action is additionally cryptographically chained (prev_hashrow_hash). Tampering with the audit trail would be immediately visible.

  • Signature events form a hash chain
  • Verification by hash recompute
  • Tamper protection at the database level

Retention & legal hold

Define retention periods per folder and lock documents during ongoing proceedings.

  • Retention policies per folder
  • Legal holds for ongoing proceedings
  • Automatic protection from deletion
  • Expired documents cleaned up via job pipeline

ClamAV virus scan

Incoming files are scanned before storage – with configurable block or quarantine policy.

  • Synchronous scan on upload (optional)
  • Quarantine area for suspect files
  • Definition update via the OS
  • Status and statistics in DMS admin

Token hashing & signed URLs

External shares are not guessable: tokens are stored as a hash only. Preview links carry a signed TTL.

  • Token hash (no plaintext in DB)
  • Signed preview URLs with expiry
  • Optional password protection (bcrypt)
  • Optional IP allowlist

Rate limiting

Public endpoints (share links, signature routes) are protected by rate limits against brute-force and crawlers.

  • Per-IP and per-token limits
  • Throttle for sending and reminders
  • Configurable per endpoint

Module license gate

Unbooked modules are blocked server-side (HTTP 423 Locked) – misbookings or accidental activations are impossible.

  • .env-based mapping
  • Notice page with booking link
  • No data leak when modules are disabled

Encryption & settings

Sensitive configurations (e.g., SMTP passwords, cloud OCR keys) are encrypted at rest using Laravel's Crypt::encryptString.

  • Settings encryption with app key
  • HTTPS-only recommendation (HSTS via web server)
  • Recommended at-rest encryption of data volumes
Compliance

Made for GDPR & GoBD.

You retain sovereignty over your data. Optionally host the DMS in your own infrastructure.

Hosted in Germany

Optionally in our German data center or with your own provider.

No trackers

This marketing site and the DMS UI use no trackers, no cookie banner theatre.

On-premises possible

Full on-premises installation with local storage, S3, or WebDAV – your choice.

We answer your security questions personally.

Security whitepaper, auditor briefing, or architecture workshop – just reach out.

Get in touch