Trust
Security
Last updated: 30 May 2026
Sastemny is built as multi-tenant SaaS for merchants who trust us with conversations, orders, and money movement. This page summarises technical and organisational measures. It supplements our Privacy Policy and does not replace your own security programme or a formal audit.
Report suspected vulnerabilities to security@sastemny.app. Do not test systems without written permission.
1. Security programme
We maintain administrative, technical, and physical safeguards proportionate to the sensitivity of merchant and customer data processed in the workspace.
2. Encryption and transport
All public endpoints use TLS 1.2+ with modern cipher suites. Secrets and tokens are stored hashed or encrypted at rest where supported by our infrastructure.
3. Access control
Role-based access separates owners, finance, and frontline staff. Production access is limited to authorised personnel on a need-to-know basis with logging.
4. Tenant isolation
Every workspace is logically isolated: catalog, conversations, orders, wallet, and integrations are scoped by tenant identifier. Cross-tenant access is prevented at the application and database policy layers.
5. Kayan and money guardrails
Kayan actions that affect refunds, payouts, or ad spend can require explicit approval, spend caps, and appear in an auditable action log with undo where supported.
6. Incident response
We investigate reported incidents, contain impact, notify affected merchants when legally required, and cooperate with the PDPC for personal data breaches under Law No. 151 of 2020.
7. Egypt PDPL alignment
We are aligning controls with the Personal Data Protection Law and Executive Regulations, including breach notification, data-minimisation in product design, and subprocessors agreements.
8. Vendor management
Infrastructure, payment, and messaging providers are reviewed for security practices before onboarding and monitored for critical vulnerabilities.
9. Your responsibilities
Use strong passwords, enable least-privilege roles, review Kayan settings, and disconnect unused integrations. You are responsible for devices and staff training in your business.
10. Reporting
Security contact: security@sastemny.app — include steps to reproduce and impact assessment. We do not support unsolicited penetration testing without agreement.