Security
Enterprise-grade security built into every layer of the platform.
AES-256 Encryption at Rest
All PII, company data, and compliance answers encrypted using AES-256-CBC. Searchable fields use HMAC-SHA256 hashes so raw values are never stored in plain text.
TLS 1.3 in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure transport protocol available.
Two-Factor Authentication (2FA)
TOTP-based 2FA compatible with Google Authenticator and Authy. Recovery codes are fully encrypted. 2FA can be enforced at the organizational level.
Role-Based Access Control
Three distinct roles: Main User (manager), Team User (answerer), Auditor (reviewer) — with strict authorization policies preventing any unauthorized data access.
Complete Audit Trail
Every action logged with timestamp, IP address, browser fingerprint, and user identity. Logs are retained for compliance purposes and cannot be modified.
Brute-Force Protection
Five failed login attempts triggers a 30-minute account lockout. Password history prevents reuse of the last 5 passwords. Account lockout events are logged.
Tenant Data Isolation
All database queries are scoped by company_id, ensuring complete data isolation between tenants at the application layer.
Anomaly Detection
Continuous monitoring of active sessions with comprehensive logging of unusual activity patterns for security response.
Backup & Recovery
Automated encrypted backups with documented disaster recovery procedures and business continuity plans.
Built for Compliance from the Ground Up
The platform's security architecture is designed with reference to internationally recognised standards.
Incident Response
We maintain documented and tested procedures for responding to security incidents promptly.
Detection & Containment
Real-time activity log monitoring with immediate isolation of affected systems to limit breach scope.
Assessment & Classification
Severity classification (Critical / High / Medium / Low) and identification of data categories and subjects affected.
Notification & Reporting
Client notification within 48 hours; regulatory authority reporting within 72 hours per GDPR Article 33 and Saudi PDPL.
Remediation & Learning
Root cause analysis, security control updates, and documented post-incident review to prevent recurrence.
Infrastructure Security & Testing
DDoS Protection & WAF
Infrastructure is protected by dedicated DDoS mitigation and a Web Application Firewall (WAF) that filters malicious requests before they reach the application layer.
Encryption Key Management
Data encryption is managed through a dedicated Key Management System (KMS) with support for periodic key rotation and strictly limited key access controls.
Penetration Testing
Independent third-party penetration tests are conducted periodically. An executive summary of the most recent test results is available upon request to enterprise clients.
Network Isolation & Segmentation
Application, database, and storage layers are network-segmented to minimise lateral movement in the event of a breach.
Supply Chain Security
All sub-processors and vendors undergo security assessment before engagement and are subject to periodic compliance reviews.
Patch Management
Security updates and critical patches are applied within 72 hours of release using a controlled deployment process to minimise downtime.
Responsible Disclosure
We encourage security researchers to responsibly disclose any vulnerabilities they discover. If you have found a security issue, please contact us via the contact form with "Security Issue" in the subject line.
Please refrain from public disclosure until we have had reasonable time to remediate. We appreciate security research conducted in good faith and commit to taking no legal action against responsible reporters.
Report a Security Issue