Pricing
Sales: +212 649 22 43 64
Security
No badges we don't hold, no claims we can't back. This page describes what is actually implemented - and it gets reviewed against the code.
Last reviewed: June 2026
All traffic runs over HTTPS with HSTS preload. Strict security headers ship on every response: a content security policy, frame denial, MIME no-sniff and a locked-down permissions policy.
Passwords are hashed with bcrypt (cost 12) and never stored or logged in plain text. Sessions live in the database and ride an httpOnly, secure cookie - they expire after 30 days and can be revoked server-side at any moment.
Every query is scoped to your organization - one tenant can never read another's rows. Bank details are encrypted at rest with AES-256-GCM, an authenticated cipher that detects tampering.
Every significant action on your business records lands in an append-only audit log. Each finalized invoice joins a per-organization SHA-256 integrity chain, and an evidence bundle - the invoice UBL plus its validation reports - is stored when the invoice is rendered or exported, built for the 10-year retention the DGI requires.
All payments are processed by Paddle. Card numbers are entered in Paddle's checkout, stored on Paddle's PCI DSS-compliant infrastructure, and never pass through our servers. Webhooks are signature-verified before anything is processed.
PDF generation and document storage run on a dedicated service: every file and PDF route requires service authentication, files are confined to per-organization directories, and requests are size- and rate-limited.
Security reports go to contact@hisab.ma and reach me - Salah, the founder - directly. I read every report and respond personally. If you found a vulnerability, thank you: please include steps to reproduce.
Write to contact@hisab.ma - it lands with the person who built the system.
contact@hisab.ma