Security Standards
BayanCore incorporates a Zero-Trust security model to protect sensitive enterprise data, satisfy Saudi cybersecurity standards (NCA), and prevent unauthorized access.
Authentication & Authorization
- Authentication (Clerk): Enterprise SSO (SAML/OIDC), MFA via SMS/Authenticator apps, automated brute-force protection
- JWT Verification: API Gateway validates Clerk JWT signature on every request, extracting user context (user_id, role, company_id)
- RBAC: Granular roles (Accountant, Sales Manager, HR Specialist) verified against target API path and method
PII Redaction Gateway
All context payloads to OCI GPU inference cluster pass through the PII Redaction Gateway:
- Intercept: Scan payloads for PII before LLM processing
- Scan: Regex filters + NER models detect National IDs, Iqama numbers, phone numbers, emails, IBANs
- Redact: Replace with token placeholders
- Reconstruct: Re-inject variables after LLM response
Session Management
- Inactivity Timeouts: Sessions expire after 15 minutes of inactivity
- Force Logout: Account changes in Clerk immediately invalidate Redis session cache (<60s)
- Concurrent Limits: Max 2 active sessions per user (prevents credential sharing)
Audit Trail
- Append-Only: DB role restricted to INSERT only — UPDATE/DELETE programmatically blocked
- Integrity Hashing: SHA-256 hash chain — every entry links to previous, weekly cron verifies integrity
- Payload: Gregorian + Hijri timestamps, IP address, Clerk User ID, action, changed fields
Incident Response
- AI Error Detected: Immediate rollback, user notification, incident log
- Data Breach Suspected: AI access suspended, audit review, PDPL notification
- Model Degradation: Fallback to rule-based system, retraining triggered