Enterprise-grade protection built into every layer of the platform β updated April 2026.
Every sensitive field is individually encrypted using AES-256-CBC via Laravel Crypt: employee iqama numbers (Saudi national IDs), ZATCA credentials, webhook signing secrets, government portal credentials, and compliance notes. None of these values are stored in plaintext. Your encryption key lives in the environment and is never exposed in code or database.
All data transmitted between your browser and Iltizam servers is protected by TLS 1.2 or higher. We enforce HTTPS-only access and set HTTP Strict Transport Security (HSTS) headers. Unencrypted HTTP connections are rejected.
All accounts support TOTP-based 2FA compatible with Google Authenticator, Authy, and Microsoft Authenticator. Iltizam uses cryptographic timestamp tracking to prevent TOTP replay attacks β each 30-second code can only be used once. 2FA is available for all roles and is strongly recommended.
Iltizam enforces a three-tier role system at the server level: Super Admin (platform), Company Admin (write access), and Employee (read-only). Write operations β create, update, delete β are blocked at the middleware layer for the Employee role, not just hidden in the UI. Company data is fully isolated; cross-company data access is architecturally impossible.
Every create, update, and delete is logged with the user identity, action type, affected record, IP address, and before/after values. Authentication events β successful logins, failed login attempts, logouts, 2FA enabled/disabled/verified β are also logged. Audit logs are searchable, filterable, and exportable by platform admins.
Every outbound webhook POST is signed with HMAC-SHA256 using a unique per-subscription secret encrypted at rest. Recipients can verify the X-Iltizam-Signature header to confirm payload authenticity and prevent spoofing attacks.
Files are stored on AWS S3 in a private bucket with no public-read ACL. Downloads are served via temporary pre-signed URLs with a 30-minute expiry. File paths use UUID-based names, preventing enumeration attacks.
Passwords require a minimum of 10 characters with mixed case and numbers. Passwords are hashed with bcrypt (cost factor 12). Login is rate-limited to 5 attempts per minute per IP. Inactive accounts are blocked at the authentication layer. Sessions are encrypted at rest and use SameSite=Strict cookie policy. Email verification is required before portal access is granted.
Every response includes X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy. HSTS is enforced on HTTPS deployments. Cross-Origin Resource Sharing (CORS) is restricted to the application origin only.
The AI Compliance Advisor requires explicit consent before sending any data to OpenAI, in compliance with the Saudi Personal Data Protection Law (PDPL) cross-border transfer requirements. Only anonymized aggregate data is transmitted β no names, IDs, or iqama numbers. Employee iqama numbers are treated as national identifiers under PDPL and are encrypted at field level. UAE companies benefit from alignment with Federal Decree-Law No. 45 of 2021.
Iltizam is designed with OWASP Top 10 mitigations built into every layer β covering broken access control, cryptographic failures, injection, insecure design, security misconfiguration, logging & monitoring, and more. Updated April 2026.
Our team is available to answer security questions from enterprise customers, auditors, and compliance officers.
Contact