Security & Trust

1. Data Protection & Encryption | حماية البيانات والتشفير

• Encryption in transit: All traffic is encrypted over HTTPS/TLS. HTTP requests are redirected to HTTPS.
• Encryption at rest: Data is stored on infrastructure that encrypts at the disk level (Supabase / PostgreSQL, hosted on Vercel).
• Payments: Payments are processed by Stripe, a PCI-DSS-compliant processor. We never store card numbers.
• Data residency: We support hosting the database in the Bahrain (me-central) region for KSA and GCC customers.

2. Tenant Isolation & Access Control | عزل المستأجرين والتحكم في الوصول

Each organization's data is isolated at the database layer, not merely in the application UI.

• Row-Level Security (RLS): PostgreSQL enforces RLS policies binding every row to its owner or organization, so no tenant can read another's data.
• Least privilege: Sensitive operations use the service role only where required, with ownership checks before any action.
• Role-based access: Permissions are tiered across subscription levels and admin roles, enforced at both the edge proxy and the API layer.

3. Authentication | المصادقة

• Magic links & passwords: Secure email magic-link or password sign-in, managed via Supabase Auth.
• Multi-factor authentication (MFA): TOTP-based MFA is supported and enforced on administrative accounts before they can reach admin surfaces.
• Short-lived sessions: Short-lived, rotating access tokens, with the ability to review and revoke the current session.

4. Application Security | أمان التطبيق

• Input validation: Every API route validates its inputs with Zod schemas; invalid input is rejected at the boundary.
• Rate limiting & WAF: A database-backed rate limiter plus a web application firewall (WAF) protect against abuse.
• AI feature hardening: Untrusted text is fenced before reaching any model, and ownership is checked before any costly model call.
• Security headers: Content-Security-Policy with nonces, HSTS, X-Content-Type-Options, and related headers.

5. Monitoring & Audit | المراقبة والتدقيق

• Audit logging: Sensitive operations (tier changes, session management, payment events, admin actions) are written to an audit log.
• Error tracking: Server and client errors are captured without leaking stack traces or sensitive data to users.

6. Testing & Assurance | الاختبار والضمان

• Penetration testing: A penetration test was conducted and its critical and high findings remediated, with documented fixes.
• Empirical RLS gate: A continuous-integration gate verifies tenant-isolation policies against a real database.
• Dependency auditing: Dependencies are scanned for known vulnerabilities as part of the build pipeline.
• Automated tests: Thousands of automated tests guard the financial, security, and access logic on every change.

7. Privacy & Compliance | الخصوصية والامتثال

• PDPL-aligned: We handle personal data in line with the Saudi Personal Data Protection Law. See our Privacy Policy.
• Data rights: You can export your data or request account deletion from your account settings.
• Aligned frameworks: Our controls are designed to align with ISO 27001, ISO 42001, and ISO 19650, with documented statements of applicability.

8. Responsible Disclosure | الإفصاح المسؤول

If you discover a security vulnerability, we welcome your responsible disclosure. Contact us at security@saddid.com and we will respond promptly. Please do not disclose publicly before a fix is in place.