Security

Security that shows its work.

We only claim what we've built. What is shipped is listed as shipped, what is planned is listed as planned, and every claim maps to code you can ask us about.

Only your people see your data

Access is checked on the server for every request, down to individual rows and columns. Guessing links or IDs gets a 404, not your data.

Every change is on the record

Who changed what, when, from where: written to an audit trail that nobody, including us, can edit after the fact.

Accounts are hard to break into

Two-factor sign-in, account lockout after failed attempts, and sessions you can revoke everywhere with one click.

Shipped today

These controls are live and enforced in the product right now.

Password hashing and 2FA

Passwords are bcrypt-hashed, never stored in plain text. Optional TOTP two-factor auth with single-use backup codes.

Scoped API keys

Keys are SHA-256 hashed, shown once at creation, scoped per resource and per workspace, with expiry dates and instant revocation.

Security log with SIEM export

Append-only, company-wide log of sign-ins, permission changes, and key management, with signed webhook streaming and an export API for SIEM tools.

Lockout and rate limiting

Repeated failed sign-ins freeze the account and auth endpoints are rate limited, so brute force gets stopped, not just slowed.

Revocable sessions

Sign out everywhere with one click. Sessions are revoked server-side, and a password change or reset signs out every other device.

Full-chain tenant isolation

Every record lookup verifies the whole ownership chain, record to board to base to workspace. Guessing IDs gets you a 404, not someone else's data.

Layered permissions, enforced server-side

Role-based, row-level, and field-level permissions. Hidden fields are stripped from API responses on the server, not merely hidden in the UI.

Immutable audit trail

Every significant action is logged with before/after snapshots, user, time, and IP. Once written, entries cannot be altered by anyone, including us.

Safe password resets

Reset links are single-use and expire in minutes, and the flow never reveals whether an email address has an account.

SSRF protection

Outbound webhook and automation destinations are validated on every delivery, so requests can never be pointed at internal infrastructure.

Tenant-scoped file storage

Attachment keys are server-generated and scoped to your company. Downloads require permission on the owning board before a single byte streams.

Exports that respect access

CSV export applies the same permission rules as the UI. You only export what you are allowed to see.

Data residency

Sajel runs on dedicated infrastructure: monitored, encrypted, and isolated per deployment. Private cloud hosting in Oman is on the roadmap for teams that need regional residency.

Our posture is compliance-supporting for GDPR and Oman PDPL (Royal Decree 6/2022): role-based access, comprehensive audit trails, and an in-country deployment model with no third-party data egress by default. We do not claim certification, and we say so plainly.

On the roadmap

We build these when a deployment requires them, and we will tell you plainly where anything stands.

SSO (SAML / OIDC)

Enterprise single sign-on, alongside today's email and password with optional TOTP 2FA.

Device-level session controls

Sign-in history and per-device revocation, on top of today's sign-out-everywhere.

Trash and recovery

A grace window to restore deleted records and boards.

Oman private cloud

In-country hosting for deployments that require regional residency.

Evaluating Sajel for a regulated deployment? We answer security questionnaires and walk through the details directly. Talk to us.

Report a vulnerability

Responsible disclosure is welcome. If you find something, tell us privately with a description, reproduction steps, and impact. We aim to acknowledge within one business day and give an initial assessment within three.

security@sajel.om

Bring your data. We'll keep it yours.

Join Beta

Free during beta · No credit card needed