Security at FawtaraX
We treat invoice data as regulated tax records. Every layer of the platform — from database to API — is designed for tenant isolation, auditability, and OTA compliance.
Tenant isolation
Every table enforces Postgres Row-Level Security keyed on tenant_id. A tenant member cannot read or write another tenant's data, even via API key.
Encryption
TLS 1.2+ in transit. Encryption at rest via managed Postgres. Secrets (API tokens, OTA credentials) stored in a managed secret vault, never in source.
Role-based access
Owner, admin, accountant, auditor and viewer roles. Sensitive operations (delete invoice, rotate API key) are restricted to owner/admin.
Audit log
Append-only audit_logs table records every state-changing action with actor, entity, and metadata. Visible to owner/admin/auditor; immutable from the UI.
Webhook integrity
OTA and partner webhooks are verified by HMAC signature and processed idempotently via event_id deduplication.
Compliance
10-year invoice retention per OTA Fawtara. Hash chain (PIH/ICV) on every invoice. TLV-encoded QR per ZATCA/Fawtara spec. Aligned with Oman PDPL (Royal Decree 6/2022).
Report a vulnerability
Email security@fawtara.daftari.app. We acknowledge within one business day and aim to remediate critical issues within 7 days.