Everything enterprise procurement teams need to evaluate Maktab — security architecture, compliance posture, penetration test status, and subprocessor list.
Layered security controls from infrastructure to application layer, built to meet enterprise and government requirements.
TOTP-based MFA (RFC 6238) for all admin accounts. Enforced per-role via policy. Backup codes with one-time use. Brute-force lockout at 5 attempts.
Full SAML 2.0 SP implementation. Compatible with Okta, Azure AD, Google Workspace, ADFS, and any SAML 2.0-compliant IdP. Signed assertions required.
Automated user provisioning and deprovisioning via SCIM 2.0. Supports Okta, Azure AD, OneLogin. Immediately revokes access on deprovisioning.
84 granular permissions across 12 resource types. Custom roles. Dual-guard architecture separates admin and client sessions completely.
Passwords hashed with bcrypt (cost 12). Sensitive fields (SMTP credentials, API keys, Twilio tokens) encrypted at rest with AES-256 via Laravel Crypt. TLS 1.2+ in transit.
HSTS with includeSubDomains + preload. Strict CSP policy. X-Frame-Options: DENY. X-Content-Type-Options: nosniff. Referrer-Policy: strict-origin-when-cross-origin.
All resource access enforces ownership checks at the database query level, not just route-level middleware. Ticket/asset/company scoping prevents cross-tenant data access.
Automatic PII scanning on ticket bodies and replies. Detects credit card patterns, national ID formats, and email addresses. Flags for review without blocking submission.
Per-IP throttling on login (5/min), API endpoints (60/min), webhooks (1,000/min). Brute-force lockout with 10-minute cooldown. Configurable per-tenant.
Admin panel can be restricted to a list of trusted IP ranges. Supports CIDR notation. Bypassed per-agent with MFA step-up for remote access.
Every admin action is recorded in the system audit log: actor, action, resource, timestamp, IP address, before/after state. Logs cannot be edited or deleted by any user.
Session tokens stored server-side (database driver). Configurable session timeout. "Log out all sessions" per user. Suspicious login detection alerts all admins.
Current control implementation mapped to GDPR, SOC 2, and ISO 27001 frameworks.
| Framework | Control Reference | Requirement | Maktab Implementation | Status |
|---|---|---|---|---|
| GDPR | Art. 5 — Data minimisation | Collect only data necessary for the purpose | Only required ticket fields collected; PII scan flags over-collection | Implemented |
| GDPR | Art. 17 — Right to erasure | Delete personal data on request | GDPR Erasure controller + scheduled data retention purge | Implemented |
| GDPR | Art. 20 — Data portability | Provide data in machine-readable format | Client portal: export tickets as JSON/CSV; admin: bulk export | Implemented |
| GDPR | Art. 25 — Privacy by design | Default settings must protect privacy | Dual-guard architecture; no cross-tenant data without explicit scoping | Implemented |
| GDPR | Art. 30 — Records of processing | Maintain record of processing activities | System audit log records all processing with actor, resource, timestamp | Implemented |
| GDPR | Art. 32 — Security of processing | Appropriate technical security measures | AES-256 at rest, TLS 1.2+ in transit, MFA, RBAC, bcrypt | Implemented |
| SOC 2 | CC6.1 — Logical access | Restrict logical access to authorized users | RBAC with 84 permissions, MFA, SAML, SCIM deprovisioning | Controls met |
| SOC 2 | CC6.6 — Threat protection | Protect against external threats | Rate limiting, brute-force lockout, IP allowlist, CSP, HSTS | Controls met |
| SOC 2 | CC7.1 — Vulnerability detection | Detect and monitor for vulnerabilities | Internal pentest complete; external pentest scheduled Q3 2026 | In progress |
| SOC 2 | CC8.1 — Change management | Authorize, test, and document changes | Git-based review process; audit logs capture settings changes | Controls met |
| SOC 2 | CC9.1 — Risk mitigation | Identify and mitigate risks from vendors | Subprocessor list maintained; DPA with each vendor | Controls met |
| ISO 27001 | A.9 — Access control | Control access to information assets | RBAC, MFA, SAML, SCIM, IP allowlist, session management | Implemented |
| ISO 27001 | A.10 — Cryptography | Proper use of cryptographic controls | bcrypt (cost 12), AES-256 field encryption, TLS 1.2+, HMAC-SHA256 webhooks | Implemented |
| ISO 27001 | A.12 — Operations security | Secure operating procedures and monitoring | Immutable audit logs, system health monitoring, scheduled purge jobs | Implemented |
| ISO 27001 | A.18 — Compliance | Avoid violations of legal or contractual obligations | GDPR erasure, data retention, DPA, subprocessor registry | Implemented |
SOC 2 Type I formal attestation is planned for Q4 2026. Controls are implemented and documented; the formal audit engagement is in procurement.
Security assessments performed against the full attack surface: authentication, authorization, injection, session management, and webhook security.
Full OWASP Top 10 evaluation. Authentication attacks (credential stuffing, MFA bypass, token replay), authorization (IDOR, privilege escalation), injection (SQLi, XSS, XXE, SSRF), session (fixation, sidejacking), HTTP header analysis. Result: No critical findings. 3 informational findings remediated.
Black-box + grey-box engagement with a CREST-certified external security firm. Scope: all /app/*, /portal/*, /api/*, and webhook endpoints. Executive summary will be published here (redacted) upon completion.
Formal trust service criteria attestation. Covers security, availability, and confidentiality. Audit engagement in procurement.
| Attack Category | Tests Run | Outcome |
|---|---|---|
| Authentication | Credential stuffing, brute-force, MFA bypass, token replay | Pass |
| Authorization | IDOR, horizontal/vertical privilege escalation, cross-tenant | Pass |
| Injection | SQL injection, XSS (stored/reflected/DOM), XXE, SSRF | Pass |
| Session | Fixation, sidejacking, CSRF, insecure transport | Pass |
| HTTP Headers | CSP bypass, clickjacking, MIME sniffing, cache poisoning | Pass |
| File Upload | Malicious file upload, path traversal, extension bypass | Pass |
| API | Token leakage, rate-limit bypass, mass assignment, over-fetching | Pass |
| Webhooks | HMAC-SHA256 signature verification bypass, replay attacks | Pass |
3 informational findings (non-critical) remediated post-assessment.
Third-party services that may process customer data as part of Maktab's infrastructure. We maintain a DPA with each subprocessor and monitor their security practices.
Cloud infrastructure hosting, storage (S3), compute (EC2), and managed database (RDS MySQL). Primary infrastructure provider.
Transactional email delivery for ticket notifications, alerts, and system emails. Inbound email parsing via webhook.
Alternative transactional email provider. Inbound email parsing via webhook. Used as failover/secondary email channel.
SMS notifications, voice call handling, and WhatsApp channel integration. Voice webhook for call-to-ticket creation.
AI-powered ticket triage, sentiment analysis, smart reply suggestions, and knowledge base search enhancement.
Full-text search for tickets and knowledge base articles. Can be self-hosted for on-premise deployments (no data leaves your environment).
Real-time WebSocket for live ticket updates and agent collaboration. Reverb is self-hosted by default; Pusher is optional managed alternative.
Payment processing for cloud-hosted plan billing. Card data is tokenized by Stripe; Maktab never stores raw card numbers.
Firebase Cloud Messaging (FCM) for push notifications. Google OAuth 2.0 for social login (optional). No analytics data sent to Google.
Our standard DPA covers lawful basis for processing, subprocessor obligations, data subject rights, breach notification timelines (72 hours), data return/deletion on contract termination, and international transfer mechanisms (SCCs for EU/UK).
We welcome security researchers and invite responsible disclosure of vulnerabilities. We commit to acknowledging reports within 48 hours, investigating within 7 days, and crediting researchers in release notes (if they wish).
Our team is available to walk your procurement and security team through Maktab's architecture, answer RFP security questionnaires, and provide additional documentation.
Schedule a Security Review View live system status