security

Security is foundational at Okommerce — not bolted on. Here's how we approach it.

application security

• OWASP Top 10 reviewed on every release
• Parameterized queries (no SQL injection surface)
• CSRF protection on all state-changing endpoints
• Strict CSP headers
• Argon2id password hashing
• TLS 1.2+ enforced; 1.0/1.1 rejected

access controls

• Role-based + scope-based access enforced at the API layer (not just UI)
• Two-factor auth available and enforceable per role
• Session timeouts configurable per role
• Complete audit log for all create/update/delete/approval actions

compliance

• ZATCA Phase 2 e-invoicing certified (KSA)
• UAE FTA-compliant tax invoices
• PCI guidance for Enterprise deployments (we don't store card data)
• UAE PDPL, KSA PDPL, GDPR-aware data handling

vulnerability disclosure

Found a vulnerability? Email security@okommerce.com with details. PGP key available on request. We acknowledge within 24 hours and aim to fix critical issues within 7 days. We don't currently run a paid bug bounty but we publicly credit researchers.

need details?

Visit our trust center for the full security overview, or request our security questionnaire response by emailing security@okommerce.com.