Security

Safe, secure, and private by design

Zakat is a trust, and so is the data you share with us. Zakatable is built on modern, industry-standard security — your information is encrypted everywhere, identities are verified, sensitive actions are fraud-checked, and every decision is auditable.

How we protect you

Security measures

Encryption everywhere

All traffic is served over HTTPS/TLS, and data is encrypted at rest with AES-256. Especially sensitive fields (like identity and payment details) are individually encrypted, and uploaded documents are stored with server-side encryption.

Secure sign-in

Authentication uses the OAuth 2.0 / OpenID Connect standard (Keycloak), with automatic brute-force lockout, and Face ID / fingerprint unlock on mobile. Each portal only admits the roles allowed to use it.

Strict tenant isolation

Every organization only ever sees its own applicants, contributions, and disbursements. Access is enforced on every request, so data never crosses between organizations.

Verified identities

Applicants and organizations can complete government-ID + selfie identity verification, so Zakat reaches real, eligible recipients and organizations are who they say they are.

Fraud detection

Device and location fraud checks protect sensitive actions such as event check-ins and disbursements, guarding against spoofed locations and tampered devices.

Auditable by design

Every pledge, review, decision, and payment is recorded against the application — a complete, tamper-evident trail from request to relief.

Your data, your rights

Privacy first — always

We collect only what's needed to distribute Zakat responsibly, and we never sell your data. You can delete your account and personal data at any time, directly in the app.

Our practices are documented in plain language, including a Data Processing Addendum for organizations that handle personal data through Zakatable. Read the Privacy Policy and Terms & legal.

  • No data sold, everYour information is used only to operate the service.
  • Delete anytimeSelf-service account & data deletion built into the app.
  • Least-privilege accessStaff and organizations see only what their role requires.
  • Encrypted secretsCredentials and keys are held in a secured secret store, never in code.
Kept current

Continuously reviewed & hardened

Security isn't a one-time checkbox. Zakatable is regularly reviewed for vulnerabilities and hardened as the platform grows. If you're a security researcher and believe you've found an issue, please email [email protected] — we appreciate responsible disclosure.

Questions?

Security questions or disclosures

Have a question about how we protect your data, or something to report? We're glad to hear from you.