Security.
Bank-grade infrastructure.
Comprehensive security controls for authentication, encryption, and access management. Designed for SAMA compliance.
Certifications
ISO 27001
Certified
Information security management
SOC 2 Type II
Certified
Security, availability, confidentiality
PCI DSS L1
Certified
Payment card industry compliance
SAMA
Compliant
Saudi Arabian Monetary Authority
Security Controls
Comprehensive documentation of our security architecture
Authentication & Access Control
Multi-layered authentication mechanisms ensuring secure access to the platform.
API Key Authentication
HMAC-SHA256 signed requests with rotating API keys. Keys are environment-scoped (sandbox/production) with configurable permissions and rate limits.
OAuth 2.0 / OpenID Connect
Industry-standard OAuth 2.0 flows for user authentication. Supports authorization code, client credentials, and PKCE flows for mobile/SPA applications.
Role-Based Access Control (RBAC)
Granular permission system with predefined roles (Admin, Developer, Viewer) and custom role creation. Permissions scoped to specific resources and actions.
IP Allowlisting
Optional IP restriction for API access. Configure allowed CIDR ranges per environment to limit access to trusted networks.
Service-to-Service mTLS
Mutual TLS authentication for inter-service communication. All internal services authenticate using X.509 certificates issued by our internal CA.
Token & Consent Management
Secure lifecycle management for access tokens and user consent in open banking flows.
Access Token Lifecycle
Short-lived access tokens (15-60 minutes) with secure refresh token rotation. Tokens are JWT-formatted with RS256 signatures and include scope claims.
Consent Management
PSD2/Open Banking compliant consent flows. User consent is captured, stored, and audited with full transparency on data access. Consent can be revoked at any time.
Token Scope Enforcement
Fine-grained scope definitions (accounts:read, payments:write, etc.). Tokens are issued only with explicitly consented scopes. Scope validation at every API call.
Token Revocation
Immediate token invalidation via revocation endpoint. Propagated across all services within 30 seconds. Supports bulk revocation for compromised credentials.
Refresh Token Security
Refresh tokens are bound to client_id and stored hashed. One-time use with automatic rotation. Maximum lifetime of 90 days with re-authentication requirement.
Data Protection
Comprehensive encryption and data handling practices protecting sensitive financial data.
Encryption at Rest
AES-256-GCM encryption for all stored data. Encryption keys managed through HSM with automatic rotation every 90 days. Separate keys per customer.
Encryption in Transit
TLS 1.3 enforced for all connections. HSTS with 1-year max-age. Certificate pinning available for mobile SDKs. No support for deprecated protocols.
Key Management (HSM)
FIPS 140-2 Level 3 certified HSMs for cryptographic operations. Keys never leave HSM boundary in plaintext. Multi-party key ceremony for master keys.
PII Handling
Tokenization of sensitive data (card numbers, national IDs). PII encrypted with customer-specific keys. Data classification and automated PII detection.
Data Residency
All data stored within Saudi Arabia (Riyadh region). No cross-border data transfers without explicit consent. Compliance with PDPL requirements.
Infrastructure Security
Defense-in-depth architecture with zero-trust principles and comprehensive monitoring.
Network Isolation
VPC segmentation with private subnets for databases and internal services. Public-facing endpoints behind WAF and DDoS protection. No direct database access.
Zero-Trust Architecture
No implicit trust based on network location. All requests authenticated and authorized. Microsegmentation between services with least-privilege access.
Secrets Management
HashiCorp Vault for secrets storage and dynamic credential generation. Automatic secret rotation. Audit logging of all secret access. No secrets in code or config.
Container Security
Immutable container images with vulnerability scanning. Read-only root filesystems. Non-root execution. Signed images with policy enforcement.
Comprehensive Audit Logging
All API calls, admin actions, and data access logged with correlation IDs. Logs retained for 7 years. Real-time streaming to SIEM for anomaly detection.
Open Banking Security
Specialized security controls for open banking integrations and account aggregation.
Bank Connection Security
Dedicated VPN tunnels or private links to partner banks. IP whitelisting and mTLS authentication. No credential storage - tokens only.
Account Access Tokens
Bank-issued access tokens stored encrypted with HSM-protected keys. Token refresh handled automatically. Immediate revocation on user request or consent expiry.
Transaction Signing
Payment initiation requests signed with RSA-SHA256. Signature includes amount, beneficiary, and timestamp to prevent tampering. Bank verifies signature before execution.
Strong Customer Authentication
SCA support for all payment initiation. Integration with bank SCA flows (SMS OTP, push notification, biometric). Exemption handling per PSD2 RTS.
Data Minimization
Only fetch data within consented scope. Transaction history limited to consent period. No persistent storage beyond operational necessity. Automatic data purging.
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a potential security issue, please report it responsibly.
SAMA Compliance
Designed to meet Saudi Arabian Monetary Authority regulatory requirements for fintech platforms, including CSF, Open Banking Framework, and PSP regulations.