Security
Arabic is the legally binding version per Saudi law.
Last updated: 1 May 2026 / 1 مايو 2026
We take the security of your data seriously. This page describes the controls actually implemented on the Jabr platform.
1. Encryption
- In transit: All traffic over HTTPS with TLS 1.3 and HSTS enabled
- At rest: Firestore and Cloud Storage encrypt all data automatically with Google-managed keys (AES-256)
- Sensitive secrets: ZATCA signing keys are encrypted with AES-256-GCM before storage
2. Access Control
- Firestore security rules operate on a default-deny basis and verify company membership before any read or write
- Granular roles (Owner, Accountant, Auditor, Partner, Filing Officer, Viewer, CPA) gate what each user can do
- Every sensitive admin action is recorded in an immutable audit log
3. Account Protection
- Email verification at signup
- IP blocklist to stop repeated abuse attempts
- Per-IP and per-account rate limiting
- Automatic session expiry after a configurable idle period
- One-click account suspension and session revocation
4. Backup
- Automated daily backups to Cloud Storage
- Object versioning enabled for your files (receipts, bank statements)
- Per-company restore capability without affecting other accounts
5. AI Connector (MCP) Safety
- AI connected via MCP cannot post journal entries directly - every entry starts as a draft requiring user approval
- Destructive operations (reverting entries, closing periods) require explicit confirmation
- Per-plan limits on MCP call volume
- Connection tokens are company-scoped and can be revoked at any time
6. Incident Response
- Read-only maintenance mode to halt writes during investigation
- Freeze a single company or suspend a single user in seconds
- Detailed audit log for every sensitive change
- SDAIA notification within 72 hours and immediate notification of affected parties in the event of a breach
7. Compliance
- Aligned with the Saudi Personal Data Protection Law (PDPL)
- You own your data and can export or delete it at any time
8. What We Don't Do
- We do not sell your data to any party
- We do not use your data to train AI models
- We do not store passwords - Firebase Authentication manages them with industry-standard hashing
- We do not use advertising cookies or third-party analytics tools
- We do not track users across other websites
9. Reporting a Vulnerability
If you find a security vulnerability, please email info@jabrhq.com before public disclosure. We commit to acknowledging reports within 48 hours.
View in:|