Security

1. Our Commitment

At Borderless Distribution Network, LLC ("Jistix"), security is foundational — not an afterthought. We implement defense-in-depth across infrastructure, application, and operations to protect our customers' data and ensure the integrity of every freight transaction processed through our platform.

2. Infrastructure Security

• Google Cloud Platform (Firebase) — SOC 1/2/3, ISO 27001, PCI DSS Level 1 certified infrastructure. Firebase Authentication, Firestore, and Cloud Storage are fully managed services with Google's enterprise-grade security.
• Vercel — SOC 2 Type II certified hosting with an edge network that provides automatic DDoS protection, global CDN distribution, and isolated serverless function execution.
• Data residency — Data is stored in the Firebase europe-west1 (Belgium) region.
• No self-managed servers — Our entire infrastructure runs on fully managed cloud services, eliminating the risks associated with self-administered hardware and operating systems.

3. Data Encryption

In Transit

• TLS 1.2+ enforced on all connections between clients and our servers.
• HTTP Strict Transport Security (HSTS) headers with a 1-year max-age directive prevent protocol downgrade attacks.

At Rest

• AES-256 encryption via Google Cloud default encryption. All Firestore data is encrypted at rest automatically.
• Cloud Storage objects are encrypted with Google-managed keys.

Secrets Management

• All sensitive credentials are stored as server-side environment variables — never embedded in client-side code.
• No client-side API keys for sensitive services.
• HMAC-SHA256 request signing on all internal API calls to prevent request tampering.

4. Authentication & Access Control

• Firebase Authentication with secure session management and token revocation checking.
• Password requirements: minimum 8 characters, must include uppercase, lowercase, and a number.
• Session cookies with 5-day expiry, Secure flag, HttpOnly flag, and SameSite attribute.
• CSRF protection via double-submit cookie pattern with timing-safe comparison to prevent cross-site request forgery.
• Role-based access control within organizations, with permissions enforced at both the application and database layers.
• Tenant isolation: Firestore security rules enforce per-organization data boundaries. Users can only read and write data belonging to their own organization.

5. Application Security

• Server-side API routes — All sensitive operations (payment processing, document classification, rate calculations) run server-side in Next.js API routes, never in the browser.
• Input validation: Zod schemas on all API endpoints (17 validation schemas) ensure strict type checking and sanitization of all user input.
• Output encoding: React's built-in XSS protection with strict content rendering. No use of dangerouslySetInnerHTML anywhere in the codebase.
• Content Security Policy headers enforced via middleware to prevent cross-site scripting and data injection attacks.
• Rate limiting: 4 presets protect against abuse — API: 100/min, Auth: 10/min, Payment: 20/min, Webhook: 50/min.
• CORS restrictions on API endpoints limit cross-origin requests to approved domains.
• Source maps disabled in production builds to prevent source code exposure.

6. API Security

• Nexus BFF (Backend-for-Frontend) proxy — All third-party API calls are routed through a server-side proxy, ensuring that no external API keys are ever exposed to the browser.
• HMAC-SHA256 request signing on every Nexus request for integrity verification and authentication.
• No third-party API keys exposed to the browser — All integrations (SeaRates, carrier APIs, payment processors) are proxied server-side.
• Payment routes are protected with authentication middleware, ensuring only authenticated users can initiate transactions.
• 30-second timeout on external API calls with AbortController to prevent resource exhaustion from slow upstream services.

7. AI & Data Processing

• Server-side only — AI processing (powered by Anthropic Claude) runs exclusively on the server, proxied through our BFF layer. The AI service never communicates directly with the client.
• No training on user data — User data is not used to train AI models. Our AI provider (Anthropic) does not train on API inputs.
• API key protection — The AI API key (JISTIX_AI_SECRET) is server-side only and never appears in client bundles.
• Ephemeral processing — Document content processed for classification and extraction is discarded from AI context after each request. No user data is persisted in AI systems.

8. Dependency Management

• Regular npm audit scans to identify and remediate known vulnerabilities.
• Automated vulnerability monitoring with alerts for new CVEs affecting our dependency tree.
• 0 vulnerabilities in application code — remaining vulnerabilities are confined to unused template transitive dependencies with no runtime exposure.
• License compliance auditing to ensure all dependencies are compatible with our licensing requirements.

9. Monitoring & Incident Response

• Structured error logging with PII scrubbing — no personally identifiable information, payment details, or authentication tokens appear in log output.
• Real-time monitoring via Vercel analytics and function logging for anomaly detection.
• Incident response procedure: Contain → Investigate → Remediate → Notify → Review.
• Data breach notification within 72 hours per GDPR and Saudi PDPL requirements.
• Post-incident reviews with documented lessons learned and preventive measures.

10. Responsible Disclosure

We welcome security researchers who help us keep Jistix safe. If you discover a vulnerability, please report it to security@jistix.io.

Please include in your report:

• A description of the vulnerability and its potential impact.
• Detailed steps to reproduce the issue.
• Any proof-of-concept code or screenshots, if applicable.

Our commitments to responsible researchers:

• We will acknowledge receipt of your report within 48 hours.
• We will not pursue legal action against good-faith security researchers who comply with this policy.
• We aim to remediate critical vulnerabilities within 72 hours of confirmation.
• We will credit researchers (with permission) in our security acknowledgments.

11. Compliance

• SOC 2 Type II — Achieved via sub-processors (Firebase, Stripe, Vercel), each independently SOC 2 Type II audited.
• PCI DSS — Payment processing is fully delegated to Stripe, a PCI DSS Level 1 certified service provider. Jistix never stores, processes, or transmits cardholder data.
• GDPR — Data Processing Agreement available upon request. Our Privacy Policy addresses all GDPR requirements including data subject rights, lawful basis for processing, and cross-border transfer mechanisms.
• Saudi PDPL — Compliant with the Personal Data Protection Law requirements, including data minimization, purpose limitation, and data subject consent.
• ZATCA — Phase 2 e-invoicing compliance using ECDSA/secp256k1 digital signatures and UBL 2.1 XML invoice format, as required by the Saudi Zakat, Tax and Customs Authority.

12. Contact

For security, privacy, or compliance inquiries, please reach out to the appropriate team:

• Security inquiries: security@jistix.io
• Privacy inquiries: privacy@jistix.io
• General support: support@jistix.io

Borderless Distribution Network, LLC — Jistix (jistix.io)