Security

Last updated: March 23, 2026

Security is foundational to Jamii AI. We protect your data, API communications, and infrastructure with multiple layers of defence. This page outlines our security practices and architecture.

1. Authentication & Authorisation

JWT Token Authentication

All protected endpoints require a signed JWT token with configurable expiration. Tokens are issued upon successful credential verification and include role-based claims.

Triple-Role Access Control

Three distinct authentication paths β€” admin, employee, and customer β€” each with separate database tables, credential verification, and JWT claims.

Row-Level Data Isolation

Customers can only access data matching their customer_number. Employees are restricted to tables listed in their allow_tables_list. Admins have full access.

2. Encryption

TLS 1.2+ In Transit

All API communications are encrypted using TLS 1.2 or higher. Plaintext HTTP connections are automatically redirected to HTTPS.

Encryption at Rest

Database storage and backups are encrypted using AES-256. API keys and secrets are stored using industry-standard key management.

Password Hashing

User passwords are hashed using bcrypt with automatically generated salts. Plain-text passwords are never stored or logged.

3. API Security

SQL Injection Prevention

All database queries use parameterised statements. Natural-language-to-SQL responses are validated and sanitised before execution. Write operations are blocked in read-only mode.

Rate Limiting

API endpoints are rate-limited per subscription tier to prevent abuse and ensure fair resource allocation across all users.

Input Validation

All API inputs are validated using Pydantic models with strict type checking, minimum length constraints, and format validation before processing.

4. Infrastructure Security

  • Network isolation β€” services run in private networks with restricted access; only API gateway endpoints are publicly accessible
  • Minimal attack surface β€” only necessary ports and services are exposed; internal services communicate over private channels
  • Dependency management β€” all dependencies are pinned and regularly scanned for known vulnerabilities
  • Container security β€” application containers run as non-root users with read-only file systems where possible

5. Monitoring & Incident Response

  • Real-time monitoring β€” API performance, error rates, and security events are monitored continuously
  • Audit logging β€” all authentication events, access control decisions, and administrative actions are logged
  • Automated alerts β€” anomalous patterns trigger immediate alerts for investigation
  • Incident response β€” we maintain a documented incident response plan with defined severity levels, escalation paths, and communication procedures
  • Post-mortem reviews β€” all security incidents are followed by a thorough review to prevent recurrence

6. Development Practices

  • Secure SDLC β€” security is integrated into every stage of development, from design through deployment
  • Automated testing β€” 493 automated tests covering authentication, access control, input validation, and API behaviour
  • Static analysis β€” code is continuously analysed with Ruff for style, correctness, and potential security issues
  • Code review β€” all changes undergo peer review before merging
  • Least privilege β€” services and database connections operate with the minimum permissions required

7. Compliance

We are committed to meeting industry standards and regulatory requirements. Our security practices align with:

  • OWASP Top 10 mitigation guidelines
  • GDPR and data protection principles
  • SOC 2 Type II principles (Security, Availability, Confidentiality)

8. Responsible Disclosure

If you discover a security vulnerability in our Service, we encourage responsible disclosure. Please report it to:

security@jamiiai.com

We ask that you:

  • Do not publicly disclose the vulnerability before we have had a chance to address it
  • Provide sufficient detail for us to reproduce and fix the issue
  • Allow reasonable time for remediation before disclosure

We will acknowledge receipt within 48 hours and aim to resolve critical issues within 7 days.

9. Contact

For security-related questions or to report a concern: