Security
Security is architecture — not an add-on
We do not claim SOC2 or ISO until earned. Transparent documentation and technical review sessions.
Role-Based Access Control
Permissions by role and organization — no lateral access across departments or tenants.
Immutable audit trail
Every request, decision, and export logged with user identity — not deletable.
Evidence traceability
Every output linked to source. No recommendation or figure without reviewable evidence.
Tenant isolation
Data, permissions, and audit boundaries enforced per organization.
Human approval gates
AI assists — humans decide. Exports and critical actions require explicit authorization.
Data ownership
TLS in transit, encryption at rest, documented deletion rights. No customer data for external model training.
Controls at a glance
| Area | Control |
|---|---|
| Authentication | NextAuth v5 · protected sessions · SSO (SAML/OIDC) available |
| Isolation | organizationId on governed paths · RBAC in middleware |
| Audit | AuditEvent on state changes · export for compliance |
| Files | Upload scanning · permissioned downloads · checksum when available |
| SOC2 / ISO | Roadmap — no certification claim until earned |
| Residency | Saudi/GCC cloud by default — see /en/deployment |
AI governance
- No final decision without a human
- No export without authorization
- No recommendation without evidence
- No access without identity
Security review for procurement
مكالمة تعريفية مجانية — نشرح المنصة ونقترح الخطوة المناسبة. بدون عرض مبيعات.