How Iltizam protects your data, secures your environment, and keeps you compliant.
Last reviewed: 28 June 2026
Iltizam is built with security-first principles throughout the stack.
Sensitive employee fields — Iqama number, passport number, IBAN, document content, and government portal credentials — are encrypted at the field level using AES-256 before storage.
Strict CSP headers prevent XSS attacks. All scripts require a per-request nonce. Inline scripts are blocked. frame-ancestors: none prevents clickjacking.
All responses include X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and Permissions-Policy.
Every outbound webhook payload is signed with HMAC-SHA256. Private IP ranges (RFC 1918, AWS metadata, loopback) are blocked to prevent SSRF attacks.
Sessions are stored in the database — not files — with per-session IDs and activity timestamps. Users can view and revoke individual sessions from the portal.
TOTP 2FA via Google Authenticator is available for all users. Replay attacks are prevented by tracking the last-used token timestamp.
Login attempts are limited to 5 per minute. Password reset to 3 per minute. Public API endpoints to 60 requests per minute per token.
Iltizam is built for full compliance with GCC data protection regulations.
Each company runs its own isolated installation. No shared database, no shared application layer. Your data never co-mingles with another company's data.
Iltizam includes a built-in Data Subject Request module compliant with KSA Personal Data Protection Law (2021, Article 4). Employees can request access, correction, deletion, or portability of their data. All requests are tracked with a 30-day SLA.
The Data Subject Request module also covers UAE Federal Decree No. 45 (2021) on Personal Data Protection. Employee rights to access and erasure are fully supported.
Every create, update, delete, login, and sensitive read is logged with the user identity, IP address, user agent, affected record, and old/new values. The audit log is read-only from the portal.
Because Iltizam is self-hosted, your data stays within your own infrastructure — on-premises or in your chosen cloud region. No data is transmitted to Iltizam servers.
Iltizam is designed around GCC labor law and government portal requirements.
Full UBL 2.1 XML invoice generator with SHA-256 hashing and ZATCA clearance/reporting API submission. Compliant with the Saudi e-invoicing mandate.
9% + 9% contribution calculation for Saudi nationals. API integration with GOSI portal when credentials are configured. Non-nationals correctly excluded.
Full WPS record management with SAMA-format SIF file generation for bank submission. Monthly payroll is linked directly to WPS compliance tracking.
EOSB calculated using KSA Labor Law Article 84 formula (0.5 month/year first 5 years, 1 month/year after). Contract auto-conversion rule (3 fixed-term renewals = unlimited) enforced. Overtime multipliers (1.25×/1.5×/2.0×) per Article 107.
MOHRE/WPS compliance, NAFIS Emiratization quota tracking, and ADGM employment regulation support via government portal integration.
We take security reports seriously and respond promptly to verified vulnerabilities.
If you discover a security vulnerability in Iltizam, please report it responsibly.
security@iltizam.comWe publish a machine-readable security disclosure policy at /.well-known/security.txt following RFC 9116.
/.well-known/security.txtWe acknowledge all reports within 48 hours and provide a fix timeline within 7 business days for critical vulnerabilities.
Our team is ready to answer any compliance or security questions.
Contact