جَبرJabr
PricingAboutContact Us

Legal Documents

Terms of ServicePrivacy PolicyData Processing AgreementCookie PolicyAcceptable Use PolicySecurity

Security

Arabic is the legally binding version per Saudi law.

Last updated: 1 May 2026 / 1 مايو 2026

We take the security of merchant data seriously. This page describes the controls that are actually implemented on the Jabr platform — not marketing promises.

1. Encryption

  • In transit: All traffic over HTTPS with TLS 1.3 and HSTS enabled (browsers are forced onto HTTPS automatically).
  • At rest: Firestore and Cloud Storage encrypt every byte automatically with Google-managed keys.
  • Sensitive secrets: ZATCA signing private keys are encrypted with AES-256-GCM (random 96-bit IV + 128-bit auth tag) before storage.

2. Access Control

  • Every Firestore read and write goes through default-deny security rules and a server-side membership check before any action.
  • Granular roles (Accountant, Auditor, Partner, Customer, Filing Officer) gate what each user can do.
  • Admin accounts are protected by multi-factor authentication.
  • Every sensitive admin action is recorded in an immutable audit log.

3. Account Protection

  • Email verification at signup.
  • IP blocklist to stop repeated abuse attempts.
  • Per-IP and per-account rate limiting.
  • Geo-anomaly detection — sign-in from a new country triggers an alert.
  • One-click account suspension and session revocation for incident response.

4. Backup & Recovery

  • Daily backups written to Cloud Storage with a 30-day retention lock — no one, including admins, can delete them within the window.
  • Cloud Storage object versioning enabled for merchant files (receipts, bank statements).
  • Per-company logical snapshots on demand for surgical restore without affecting others.
  • Documented disaster recovery playbook with periodic drills.

5. AI Safety

  • Every attached file passes through a prompt-injection filter before reaching the model.
  • Role markers, instruction-override phrases, and jailbreak patterns are stripped automatically.
  • The AI cannot post journal entries directly — every entry starts as a draft requiring merchant approval.
  • Per-merchant AI budgets with 80% warnings and 100% hard stops.

6. Incident Response

  • Read-only maintenance mode to halt writes during investigation.
  • Freeze a single company or suspend a single user in seconds.
  • Mutation-level audit log for sensitive changes (entries, deletes, subscription changes).
  • Security alerts on anomalous behaviour (e.g. sign-in from a new country).

7. Compliance

  • Aligned with Saudi Personal Data Protection Law (PDPL).
  • Aligned with ZATCA e-invoicing requirements.
  • Merchants own their data — exportable or deletable on demand.

8. What We Don't Do

  • We do not sell merchant data to any third party.
  • We do not use merchant data to train AI models.
  • We do not store passwords — Firebase Authentication manages them with industry-standard hashing.
  • We do not use advertising cookies or track users across other sites.

9. Reporting a Vulnerability

If you find a security vulnerability, please email security@jabr.sa before public disclosure. We aim to acknowledge reports within 48 hours.

Our full disclosure policy lives at /.well-known/security.txt.

View in:|
جَبرJabr

AI-powered accounting for Saudi businesses

Product

PricingAbout

Company

Contact Us

Legal

Terms of ServicePrivacy PolicyData Processing AgreementCookie PolicyAcceptable UseSecurity
AES-256 encryptedPDPL alignedHosted on Google CloudTLS 1.3 + HSTS

© 2026 جَبر · Jabr. All rights reserved.

Made for Saudi merchants — by Saudi entrepreneurs. Hosted in Google Cloud me-central1 (Riyadh).