Security & Compliance

Maktab Trust Center

Everything enterprise procurement teams need to evaluate Maktab — security architecture, compliance posture, penetration test status, and subprocessor list.

All systems operational  ·  View live status

Security Architecture

Layered security controls from infrastructure to application layer, built to meet enterprise and government requirements.

Multi-Factor Authentication

TOTP-based MFA (RFC 6238) for all admin accounts. Enforced per-role via policy. Backup codes with one-time use. Brute-force lockout at 5 attempts.

SAML 2.0 / SSO

Full SAML 2.0 SP implementation. Compatible with Okta, Azure AD, Google Workspace, ADFS, and any SAML 2.0-compliant IdP. Signed assertions required.

SCIM 2.0 Provisioning

Automated user provisioning and deprovisioning via SCIM 2.0. Supports Okta, Azure AD, OneLogin. Immediately revokes access on deprovisioning.

Role-Based Access Control

84 granular permissions across 12 resource types. Custom roles. Dual-guard architecture separates admin and client sessions completely.

Data Encryption

Passwords hashed with bcrypt (cost 12). Sensitive fields (SMTP credentials, API keys, Twilio tokens) encrypted at rest with AES-256 via Laravel Crypt. TLS 1.2+ in transit.

HTTP Security Headers

HSTS with includeSubDomains + preload. Strict CSP policy. X-Frame-Options: DENY. X-Content-Type-Options: nosniff. Referrer-Policy: strict-origin-when-cross-origin.

IDOR & Authorization

All resource access enforces ownership checks at the database query level, not just route-level middleware. Ticket/asset/company scoping prevents cross-tenant data access.

PII Detection

Automatic PII scanning on ticket bodies and replies. Detects credit card patterns, national ID formats, and email addresses. Flags for review without blocking submission.

Rate Limiting

Per-IP throttling on login (5/min), API endpoints (60/min), webhooks (1,000/min). Brute-force lockout with 10-minute cooldown. Configurable per-tenant.

IP Allowlist

Admin panel can be restricted to a list of trusted IP ranges. Supports CIDR notation. Bypassed per-agent with MFA step-up for remote access.

Immutable Audit Logs

Every admin action is recorded in the system audit log: actor, action, resource, timestamp, IP address, before/after state. Logs cannot be edited or deleted by any user.

Session Management

Session tokens stored server-side (database driver). Configurable session timeout. "Log out all sessions" per user. Suspicious login detection alerts all admins.

Compliance Mapping

Current control implementation mapped to GDPR, SOC 2, and ISO 27001 frameworks.

Framework Control Reference Requirement Maktab Implementation Status
GDPR Art. 5 — Data minimisation Collect only data necessary for the purpose Only required ticket fields collected; PII scan flags over-collection Implemented
GDPR Art. 17 — Right to erasure Delete personal data on request GDPR Erasure controller + scheduled data retention purge Implemented
GDPR Art. 20 — Data portability Provide data in machine-readable format Client portal: export tickets as JSON/CSV; admin: bulk export Implemented
GDPR Art. 25 — Privacy by design Default settings must protect privacy Dual-guard architecture; no cross-tenant data without explicit scoping Implemented
GDPR Art. 30 — Records of processing Maintain record of processing activities System audit log records all processing with actor, resource, timestamp Implemented
GDPR Art. 32 — Security of processing Appropriate technical security measures AES-256 at rest, TLS 1.2+ in transit, MFA, RBAC, bcrypt Implemented
SOC 2 CC6.1 — Logical access Restrict logical access to authorized users RBAC with 84 permissions, MFA, SAML, SCIM deprovisioning Controls met
SOC 2 CC6.6 — Threat protection Protect against external threats Rate limiting, brute-force lockout, IP allowlist, CSP, HSTS Controls met
SOC 2 CC7.1 — Vulnerability detection Detect and monitor for vulnerabilities Internal pentest complete; external pentest scheduled Q3 2026 In progress
SOC 2 CC8.1 — Change management Authorize, test, and document changes Git-based review process; audit logs capture settings changes Controls met
SOC 2 CC9.1 — Risk mitigation Identify and mitigate risks from vendors Subprocessor list maintained; DPA with each vendor Controls met
ISO 27001 A.9 — Access control Control access to information assets RBAC, MFA, SAML, SCIM, IP allowlist, session management Implemented
ISO 27001 A.10 — Cryptography Proper use of cryptographic controls bcrypt (cost 12), AES-256 field encryption, TLS 1.2+, HMAC-SHA256 webhooks Implemented
ISO 27001 A.12 — Operations security Secure operating procedures and monitoring Immutable audit logs, system health monitoring, scheduled purge jobs Implemented
ISO 27001 A.18 — Compliance Avoid violations of legal or contractual obligations GDPR erasure, data retention, DPA, subprocessor registry Implemented

SOC 2 Type I formal attestation is planned for Q4 2026. Controls are implemented and documented; the formal audit engagement is in procurement.

Penetration Testing

Security assessments performed against the full attack surface: authentication, authorization, injection, session management, and webhook security.

Internal Security Assessment — May 2026

Full OWASP Top 10 evaluation. Authentication attacks (credential stuffing, MFA bypass, token replay), authorization (IDOR, privilege escalation), injection (SQLi, XSS, XXE, SSRF), session (fixation, sidejacking), HTTP header analysis. Result: No critical findings. 3 informational findings remediated.

External Penetration Test — Q3 2026 (Scheduled)

Black-box + grey-box engagement with a CREST-certified external security firm. Scope: all /app/*, /portal/*, /api/*, and webhook endpoints. Executive summary will be published here (redacted) upon completion.

SOC 2 Type I Audit — Q4 2026 (Planned)

Formal trust service criteria attestation. Covers security, availability, and confidentiality. Audit engagement in procurement.

Internal Assessment Scope
Attack Category Tests Run Outcome
Authentication Credential stuffing, brute-force, MFA bypass, token replay Pass
Authorization IDOR, horizontal/vertical privilege escalation, cross-tenant Pass
Injection SQL injection, XSS (stored/reflected/DOM), XXE, SSRF Pass
Session Fixation, sidejacking, CSRF, insecure transport Pass
HTTP Headers CSP bypass, clickjacking, MIME sniffing, cache poisoning Pass
File Upload Malicious file upload, path traversal, extension bypass Pass
API Token leakage, rate-limit bypass, mass assignment, over-fetching Pass
Webhooks HMAC-SHA256 signature verification bypass, replay attacks Pass

3 informational findings (non-critical) remediated post-assessment.

Subprocessors

Third-party services that may process customer data as part of Maktab's infrastructure. We maintain a DPA with each subprocessor and monitor their security practices.

Amazon Web Services (AWS)

Cloud infrastructure hosting, storage (S3), compute (EC2), and managed database (RDS MySQL). Primary infrastructure provider.

Region: Middle East (UAE) + EU (Frankfurt)  ·  ISO 27001, SOC 2, PCI DSS certified
SendGrid (Twilio)

Transactional email delivery for ticket notifications, alerts, and system emails. Inbound email parsing via webhook.

US, EU  ·  SOC 2 Type II certified
Mailgun

Alternative transactional email provider. Inbound email parsing via webhook. Used as failover/secondary email channel.

US, EU  ·  SOC 2 Type II certified
Twilio

SMS notifications, voice call handling, and WhatsApp channel integration. Voice webhook for call-to-ticket creation.

US, EU, APAC  ·  ISO 27001, SOC 2 Type II certified
OpenAI

AI-powered ticket triage, sentiment analysis, smart reply suggestions, and knowledge base search enhancement.

US  ·  SOC 2 Type II certified  ·  Data not used for training (API)
Meilisearch

Full-text search for tickets and knowledge base articles. Can be self-hosted for on-premise deployments (no data leaves your environment).

Self-hosted or Meilisearch Cloud (EU)  ·  Optional
Pusher / Laravel Reverb

Real-time WebSocket for live ticket updates and agent collaboration. Reverb is self-hosted by default; Pusher is optional managed alternative.

Self-hosted (Reverb) or Pusher US/EU  ·  SOC 2 Type I (Pusher)
Stripe

Payment processing for cloud-hosted plan billing. Card data is tokenized by Stripe; Maktab never stores raw card numbers.

US, EU  ·  PCI DSS Level 1, SOC 2 Type II certified
Google (Firebase / OAuth)

Firebase Cloud Messaging (FCM) for push notifications. Google OAuth 2.0 for social login (optional). No analytics data sent to Google.

US, EU  ·  ISO 27001, SOC 2, FedRAMP authorized
On-premise deployments: When Maktab is deployed on your infrastructure, Meilisearch and Reverb run locally. Only OpenAI API calls leave your environment (with zero data retention per OpenAI API terms). AWS, Stripe, and email providers only apply to cloud-hosted plans.

Data Processing Agreement

Our standard DPA covers lawful basis for processing, subprocessor obligations, data subject rights, breach notification timelines (72 hours), data return/deletion on contract termination, and international transfer mechanisms (SCCs for EU/UK).

  • GDPR Article 28 compliant DPA
  • Standard Contractual Clauses (SCCs) for EU/UK transfers
  • 72-hour breach notification commitment
  • Data deletion within 30 days of contract termination
  • Annual security review clause for enterprise contracts

Responsible Disclosure

We welcome security researchers and invite responsible disclosure of vulnerabilities. We commit to acknowledging reports within 48 hours, investigating within 7 days, and crediting researchers in release notes (if they wish).

Report a vulnerability
security@maktab.io
Please include: steps to reproduce, affected version, potential impact. We ask that you do not publicly disclose until we have had 90 days to remediate.
  • 48-hour acknowledgement commitment
  • 7-day initial investigation
  • 90-day responsible disclosure window
  • Researcher credit in release notes (opt-in)

Ready for a Security Review Call?

Our team is available to walk your procurement and security team through Maktab's architecture, answer RFP security questionnaires, and provide additional documentation.

Schedule a Security Review View live system status