مmargrow
العربيةStart free
م
Security & trust

Enterprise-grade security.

Your data and your customers' data deserve the best the industry offers. This page details how we protect it.

Encryption
TLS 1.3
In transit
Storage
AES-256
At rest
SLA
99.9%
Monthly uptime
Response
< 72h
Breach notification

Infrastructure

Margrow is hosted on Amazon Web Services (AWS) Riyadh region (me-central-1), with encrypted backup copies in Ireland (eu-west-1) for business continuity. AWS holds SOC 2 Type II, ISO 27001, PCI DSS certifications, and complies with Saudi National Cybersecurity Authority requirements.

Tenant isolation

Every customer (store) is logically isolated from others via multi-tenant architecture with access checks on every query. Your data never mixes with another merchant's.

Encryption

  • In transit: TLS 1.3 mandatory for every connection (browser, API, Salla integration).
  • At rest: AES-256 for databases, files, and backups.
  • Key management: AWS KMS with mandatory annual rotation.
  • Passwords: bcrypt with per-account salt.

Access control

  • Role-based access control (RBAC) internally
  • Two-factor authentication mandatory for every employee
  • Margrow engineer access to production data is limited, logged, and follows least-privilege principle
  • Quarterly audit of employee permissions

Audit logs

Every access to customer data is logged automatically (user, time, action, result). Logs are retrievable for 90 days and archived for one full year.

Security testing

  • Annually: external penetration test by a certified specialized firm
  • Quarterly: security code review
  • Weekly: automated vulnerability scanning (Snyk + Dependabot)

Backup & disaster recovery

  • Automatic backups every 6 hours
  • Recovery Point Objective (RPO): 15 minutes
  • Recovery Time Objective (RTO): 4 hours
  • Full restore drill quarterly

Incident response

We have a 24/7 incident response team. In case of any breach:

  • Containment within 2 hours
  • Impact analysis within 24 hours
  • Affected customers notified within 72 hours maximum
  • Post-incident report (post-mortem) within 14 days

Compliance

  • Saudi Personal Data Protection Law (PDPL)
  • National Cybersecurity Authority (NCA) requirements
  • Communications and Technology Authority (CITC) requirements for digital marketing
  • ZATCA requirements for billing record retention
  • SOC 2 Type II — in preparation (2026)

Reporting vulnerabilities

If you discover a security vulnerability, report it immediately to security@margrow.com. We commit to:

  • Response within 24 hours
  • Verification within 72 hours
  • Remediation based on severity (P1: 24h, P2: 7d, P3: 30d)
  • Public credit to reporter (if desired)
م

Security built · from day one.

For any security question, reach out to security@margrow.com