Trust & Security Center — Hijaaz Latheef

1. Overview

Security is not an afterthought at Hijaaz Latheef — it is embedded in every layer of our platform, from application design to infrastructure operations. This Trust Center provides a transparent view into our security practices, data handling procedures, and compliance commitments.

We serve property management firms that entrust us with sensitive tenant communications. That responsibility demands enterprise-grade safeguards with no compromises.

2. Trust Pillars

🔒

Encryption

TLS 1.3 for all data in transit. AES-256 encryption for all data at rest. Database connections secured with mutual TLS. No data is ever stored or transmitted in plaintext.

✉️

Email Authentication

SPF, DKIM (2048-bit), and DMARC (p=reject) enforced on all outbound mail. Dedicated sending IP with actively maintained reputation. List-Unsubscribe headers on every message.

☁️

Infrastructure

Hosted on AWS us-east-1 with multi-AZ redundancy, auto-scaling groups, and daily encrypted snapshots. Network segmented with VPCs, security groups, and WAF protection.

📈

Monitoring

24/7 monitoring of delivery metrics, bounce/complaint ratios, volume anomalies, and infrastructure health. Automated alerting with defined escalation paths and on-call rotation.

3. Security Practices

3.1 Access Controls

Role-Based Access Control (RBAC): Employees and client users are assigned granular permissions based on job function. Principle of least privilege is enforced at all access points
Multi-Factor Authentication (MFA): Required for all staff accounts, API key management, and administrative functions
SSO integration: Available for enterprise clients with SAML 2.0 and OpenID Connect support
Session management: Automatic session timeout after 30 minutes of inactivity. Concurrent session limits enforced

3.2 Data Protection

Encryption at rest (AES-256) for all databases, object storage, and backup volumes
Encryption in transit (TLS 1.3) for all API calls, web traffic, and internal service communication
Field-level encryption for sensitive data (PII, payment tokens)
Data classification policy with four tiers: Public, Internal, Confidential, Restricted

3.3 Application Security

Secure development lifecycle (SDL) with mandatory code review and automated SAST/DAST scanning
Dependency vulnerability scanning integrated into CI/CD pipeline
Input validation, output encoding, and parameterized queries to prevent injection attacks
CSRF protection, Content Security Policy (CSP), and security headers enforced
Annual penetration testing by an independent third party

4. Infrastructure Details

4.1 Cloud Hosting

Provider: Amazon Web Services (AWS)
Primary region: us-east-1 (N. Virginia)
Redundancy: Multi-AZ deployment across three availability zones
Backup: Daily encrypted snapshots with 30-day retention, cross-region replication
Disaster recovery: RPO < 4 hours, RTO < 2 hours

4.2 Email Delivery

Provider: Mailgun (Sinch) — dedicated SMTP relay
Sending IP: Dedicated IP address with actively managed reputation
Daily volume: ~11,750 emails/day (exclusively transactional)
Complaint rate: < 0.03% (target < 0.05%)
Bounce rate: < 1.8% (target < 2%)
Delivery rate: > 98%
Authentication: SPF + DKIM (2048-bit) + DMARC (p=reject)

5. Incident Response

Our incident response process follows a structured five-phase approach:

Detection (0–15 minutes): Automated monitoring identifies the incident and alerts the on-call team via PagerDuty
Triage (15–30 minutes): On-call engineer assesses severity, scope, and impact. Critical incidents escalate to the incident commander
Containment (30 minutes – 2 hours): Affected systems are isolated. Mitigation measures are deployed to prevent further impact
Eradication & Recovery (2–24 hours): Root cause is identified and eliminated. Systems are restored from verified clean state
Post-Incident Review (within 72 hours): Detailed post-mortem with root cause analysis, timeline, and preventive action items. Shared with affected clients

GDPR breach notification: In the event of a personal data breach, we notify affected supervisory authorities within 72 hours and affected individuals without undue delay, as required by GDPR Article 33/34.

6. Logging & Audit Trail

Log Type	Retention	Access
Email delivery logs (message ID, recipient hash, status, timestamp)	90 days	Client dashboard + API
Access and authentication logs	12 months	Internal security team
Template and rule change history (full diff)	12 months	Client administrators
Infrastructure and application logs	12 months	Internal engineering
API request logs	90 days	Client dashboard

All change management follows a four-eyes principle: template modifications, sending rule changes, and access grants require approval from a second authorized team member before activation.

7. Compliance

Hijaaz Latheef is designed and operated in alignment with the following regulations and standards:

GDPR — General Data Protection Regulation (EU)
CCPA / CPRA — California Consumer Privacy Act (US)
CAN-SPAM — Controlling the Assault of Non-Solicited Pornography And Marketing Act (US)
CASL — Canada's Anti-Spam Legislation

Compliance is maintained through regular policy reviews, staff training, and automated monitoring. We do not currently claim SOC 2, PCI-DSS, or ISO 27001 certification.

8. Email Practices — Detailed

This section provides an in-depth view of the operational safeguards governing our email sending infrastructure:

8.1 Recipient Verification

Every recipient email address is verified through a confirmation link during account registration. Addresses that fail verification or are identified as disposable/temporary are rejected before any transactional email is sent. Verification status is re-checked against the suppression list before each send.

8.2 Suppression List

We maintain a global suppression list that is applied in real time to every outbound message. Hard bounces, spam complaints, manual opt-outs, and addresses flagged by ISP feedback loops are permanently suppressed. Suppression entries are never deleted — they persist indefinitely to prevent re-sending.

8.3 Bounce & Complaint Workflows

Hard bounces: Immediate, permanent suppression. No retries
Soft bounces: Up to 3 retry attempts with exponential back-off over 48 hours. If all retries fail, the address is treated as a hard bounce
Spam complaints: Immediate suppression + incident ticket created. Deliverability team reviews within 4 hours. If a pattern is detected, the sending account is suspended pending investigation

8.4 Feedback Loop (FBL) Monitoring

We are registered with major ISP feedback loops including Gmail Postmaster Tools, Microsoft SNDS, and Yahoo Complaint Feedback Loop. Complaint data is ingested in real time, triggers automated suppression, and feeds into our complaint trend dashboard for manual review.

8.5 Rate Limiting & Anomaly Detection

Per-client hourly and daily rate limits prevent unexpected volume spikes
Per-template rate limits ensure individual notification types cannot flood recipients
Anomaly detection engine flags sending volumes exceeding 150% of the 7-day moving average and pauses new sends until manual review

8.6 Access Control for Sending

Email sending is governed by RBAC with the principle of least privilege:

Only designated operators can create or modify email templates
All template and sending rule changes require a second-person approval (four-eyes principle)
API keys for sending are scoped to specific notification types and rate-limited
Administrative access to the sending pipeline requires MFA

8.7 Audit Trail for Email Operations

Every change to email templates, sending rules, suppression list overrides, and notification categories is logged with:

Timestamp of change
Identity of the person making the change
Full diff of what changed (before/after)
Approval record (who approved, when)

These logs are retained for 12 months and are available for compliance audits.

8.8 How to Report Abuse

If you believe you have received an unwanted email from our platform, or suspect abuse:

Email abuse@hijaazlatheef.com with the full email headers and message body
We will acknowledge your report within 24 hours and provide a resolution within 5 business days
Confirmed abuse cases result in immediate account suspension per our Acceptable Use Policy

9. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities:

Contact: security@hijaazlatheef.com
Acknowledgment: Within 48 hours of submission
Assessment: Within 5 business days
Resolution: Critical vulnerabilities patched within 72 hours; high-severity within 14 days
Please include steps to reproduce, potential impact, and any supporting evidence
We will not pursue legal action against researchers who follow responsible disclosure guidelines

10. Contact

For security, compliance, or trust-related inquiries:

Security team: security@hijaazlatheef.com
Privacy officer: privacy@hijaazlatheef.com
Abuse reports: abuse@hijaazlatheef.com
General inquiries: info@hijaazlatheef.com
Phone: +1 (512) 843-7291
Address: Hijaaz Latheef Corp., 8500 Shoal Creek Blvd, Suite 4C, Austin, TX 78757