Cloud Security

Last Updated: March 2026

1. Our Security Commitment

At BITAS, security is foundational to our platform. We implement industry-standard security practices to protect your data, ensure service reliability, and maintain the trust of our customers. This page outlines the key security measures we have in place.

2. Infrastructure Security

Our platform is hosted on enterprise-grade cloud infrastructure with the following protections:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). API communications between internal services are also encrypted.

Encryption at Rest: All stored data — including databases, file uploads, and backups — is encrypted at rest using AES-256 encryption.

Network Security: Our infrastructure uses firewalls, network segmentation, and intrusion detection systems to prevent unauthorized access. Only necessary ports and services are exposed.

3. Access Controls & Authentication

We implement strict access controls at every level:

Role-Based Access Control (RBAC): BITAS supports 7 distinct user roles (Admin, Merchandiser, Senior Designer, Junior Designer, Fabric Team, Accessories Store, CAD Technician), each with precisely scoped permissions.

JWT Authentication: All API requests are authenticated using JSON Web Tokens with configurable expiration. Tokens are validated on every request.

Password Security: Passwords are hashed using bcrypt with appropriate salt rounds. Plaintext passwords are never stored or logged.

Session Management: Sessions can be invalidated by users or administrators at any time. Inactive sessions expire automatically.

4. Data Isolation (Multi-Tenant Architecture)

BITAS uses a path-based multi-tenant architecture where each customer's data is logically isolated:

Tenant Isolation: Every database query is scoped to the authenticated tenant. Cross-tenant data access is architecturally impossible through normal application flows.

Separate Workspaces: Each tenant operates in their own workspace with independent master data, workflows, users, and configurations.

API Boundary Enforcement: Middleware validates tenant context on every API request, ensuring requests cannot access resources outside their tenant scope.

5. Audit Logging

Comprehensive audit logging is built into the platform:

Activity Tracking: All significant actions — workflow transitions, data modifications, user logins, and administrative operations — are logged with timestamps, user identity, and action details.

Immutable Logs: Audit logs are append-only and cannot be modified or deleted by application users.

Retention: Audit logs are retained for the duration of the service agreement and can be exported upon request.

6. Application Security

Our development practices prioritize security:

Input Validation: All user inputs are validated and sanitized on both client and server sides to prevent injection attacks (SQL injection, XSS, etc.).

CORS Policies: Cross-Origin Resource Sharing is configured to allow only authorized domains, preventing unauthorized third-party access.

Dependency Management: We regularly audit and update third-party dependencies to address known vulnerabilities.

Secure Development Lifecycle: Code reviews, automated testing, and security-focused development practices are integral to our workflow.

7. Incident Response

We maintain a structured incident response process:

Detection: Automated monitoring and alerting systems detect anomalies and potential security incidents in real-time.

Response: Our team follows a documented incident response procedure including containment, investigation, remediation, and communication.

Notification: In the event of a data breach affecting your account, we will notify you within 72 hours in accordance with GDPR requirements and our Data Processing Agreements.

Post-Incident Review: Every incident is followed by a thorough review to identify root causes and implement preventive measures.

8. Backup & Disaster Recovery

We implement robust backup and recovery procedures:

Regular Backups: Automated backups are performed daily with point-in-time recovery capability.

Geographic Redundancy: Backups are stored in geographically separate locations to protect against regional outages.

Recovery Testing: Backup restoration procedures are tested regularly to ensure data can be recovered within defined Recovery Time Objectives (RTO).

9. Compliance

BITAS is designed to support compliance with:
• General Data Protection Regulation (GDPR)
• Data Protection best practices
• Industry-standard security frameworks

For detailed information about our GDPR compliance, please visit our GDPR Compliance page.

10. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of our platform, please contact us immediately:

Email: contact.bitas@gmail.com
Subject Line: Security Report

We take all security reports seriously and will acknowledge receipt within 24 hours. We appreciate responsible disclosure and will work with you to understand and address any issues.