Skip to main content

🔒 Security Architecture

BayanCore incorporates a Zero-Trust security model to protect sensitive enterprise data, satisfy Saudi cybersecurity standards (NCA), and prevent unauthorized access.

1. Authentication & Authorization (AuthN/Z)

User identity and access management are managed via a dual-layered system:

[Client App] ──> [Clerk Auth] ──> JWT Token ──> [API Gateway JWT Verify] ──> [RBAC Match] ──> [Resource]
  • Authentication (Clerk): We offload identity provider duties to Clerk. This provides enterprise SSO (SAML/OIDC), secure multi-factor authentication (MFA) via SMS/Authenticator apps, and automated brute-force protection.
  • JWT Verification: The API Gateway intercepts every incoming HTTPS request, validates the Clerk JWT signature, and extracts the user context (user_id, role, company_id).
  • Role-Based Access Control (RBAC): Users are assigned granular roles (e.g. Accountant, Sales Manager, HR Specialist). The system verifies the role permissions against the target API path and method before routing the request.

2. PII Redaction Gateway

To comply with the Saudi Personal Data Protection Law (PDPL), sensitive personal information must be scrubbed before passing into AI Large Language Models:

  1. Intercept: All context payloads headed to the OCI GPU inference cluster pass through the PII Redaction Gateway.
  2. Scan: Regular expression filters and Named Entity Recognition (NER) models scan the payload for identifiers, including:
    • National IDs & Iqama numbers
    • Personal phone numbers & emails
    • Bank account IBANs
  3. Redact: Sensitive elements are replaced with token placeholders (e.g., [REDACTED_IQAMA]).
  4. Reconstruct: The LLM processes the redacted prompt, and the gateway re-injects the variables before presenting the final response to the user.

3. Session Management & Auto-Termination

To minimize session hijacking risks and comply with NCA Essential Cybersecurity Controls:

  • Inactivity Timeouts: Active user sessions automatically expire after 15 minutes of inactivity. The Next.js frontend monitors keyboard/mouse events and prompts a warning before executing a secure logout.
  • Force Logout Hooks: If a user account is disabled or roles are modified in Clerk, the API Gateway immediately invalidates the associated Redis session cache, terminating active sessions within 60 seconds.
  • Concurrent Session Limits: To prevent credential sharing, a user account is restricted to a maximum of 2 active concurrent sessions. Establishing a third session automatically invalidates the oldest session.

4. Immutable Audit Trails

All system events, ledger posts, and compliance validations write to an append-only transaction audit log.

  • Append-Only Enforces: The database role assigned to the logging service is restricted to INSERT statements only; UPDATE and DELETE queries are programmatically blocked.
  • Integrity Hashing: Every audit entry contains the SHA-256 hash of the previous log entry, forming a cryptographic hash chain. Weekly automated cron tasks recalculate the hashes to detect tampering immediately.
  • Detailed Payload: Every entry captures the Gregorian and Hijri timestamps, active IP address, Clerk User ID, action performed, and the specific fields changed.