Infrastructure

✓Your data is stored in Google Cloud's me-central1 region (Doha, Qatar) — within the Gulf Cooperation Council and PDPL-compliant for Saudi cross-border transfers.
✓All traffic is encrypted in transit over HTTPS. Plain HTTP is rejected at the infrastructure level.
✓Built on Google Cloud Run — managed, auto-scaling containers with no persistent server-side state.

Account Security

✓Passwords are hashed using bcrypt with a salt factor of 10 or higher. We never store or log plaintext passwords.
✓Session tokens are stored in HTTP-only cookies — never in localStorage or JavaScript memory. Marked Secure + SameSite=Lax in production.
✓Access tokens expire in 15 minutes. Refresh tokens are single-use and invalidated on reuse — if your token is stolen and used by an attacker, your entire session family is revoked and you receive an email alert.

Application Security

✓Every page response carries a unique per-request Content Security Policy nonce. Inline scripts require the nonce — eliminating the entire stored XSS attack class.
✓All data-mutating API routes (POST, PUT, PATCH, DELETE) enforce origin validation to prevent cross-site request forgery.
✓Resource access checks ownership and identity in a single atomic database query. You cannot access another user's reports, conversations, or account data — even if you know their ID.
✓API endpoints are rate-limited (20 requests/min globally; 5/min on report generation) to prevent abuse and protect pipeline resources.

Your Data & AI

✓AI training is opt-in and off by default. Your reports and conversations are never used to train our in-house Jadwa model unless you explicitly enable it in Settings → Privacy.
✓No card data is stored on our servers. Payments are processed entirely on Moyasar's hosted checkout page (SAQ A PCI scope — the smallest possible PCI footprint).
✓We are designed for compliance with the Saudi Personal Data Protection Law (PDPL), Royal Decree M/19 dated 9/2/1443H. See our Privacy Policy for full details.

Built on trusted infrastructure

Google CloudPDPL-AlignedBuilt in Saudi Arabia

Responsible Disclosure

The section below is for security researchers. If you're a user with a security concern about your account, email us at security@arshedni.com.

In Scope

Anything served from *.arshedni.com
Authentication flows, payment integration, and data-handling code paths

Out of Scope

Moyasar (report directly to security@moyasar.com)
Authentica.sa, Google Cloud Run infrastructure, and any third-party SaaS we depend on
Denial-of-service attacks, social-engineering of staff, physical attacks

Rules

Test only against accounts you control. Do not access, modify, or delete other users' data.
Do not run automated scanners against production beyond a low-rate (≤ 5 req/sec) probe.
Stop and report as soon as you confirm an issue. Do not exfiltrate data.
Give us 90 days from initial report to remediate before public disclosure.
Comply with the Saudi Anti-Cybercrime Law (Royal Decree M/17, 1428 H) at all times.

Safe Harbor

If you follow this policy in good faith, we will treat your testing as authorized in writing under Royal Decree M/17 Articles 3 & 4, will not pursue civil or criminal action against you, and will not refer you to law enforcement.

This authorization does not bind the Saudi Public Prosecution. For state-recognized authorization, consider enrolling our scope through bugbounty.sa (SAFCSP).

Contact

Email a detailed report — including reproduction steps, impact assessment, and any proof-of-concept — to: security@arshedni.com