Legal

Security Policy

Last updated: April 2026

Overview

[NAME] is committed to maintaining the highest standards of security for customer data. All infrastructure operates within UAE sovereign cloud environments. This document outlines our security architecture, controls, and practices.

Infrastructure Security

All [NAME] infrastructure is hosted on Google Cloud Platform within the UAE (me-central1) region. No customer data is processed or stored outside UAE sovereign territory.

• Dedicated GKE clusters per customer tenant: no shared compute between tenants
• Private networking with no public endpoint exposure for data plane services
• All traffic encrypted in transit using TLS 1.3 minimum
• All data encrypted at rest using AES-256
• Customer-managed encryption keys (CMEK) available on Business and Enterprise tiers
• VPC Service Controls to prevent data exfiltration

Access Controls

• Role-based access control (RBAC) enforced at platform and infrastructure levels
• SSO integration (SAML 2.0, OIDC) available on Business and Enterprise tiers
• Multi-factor authentication required for all [NAME] staff accessing production systems
• Just-in-time access for privileged operations: no standing admin access
• All access to customer environments is logged and auditable

Certifications & Compliance

• SOC 2 Type II in progress; attestation roadmap will be published as we approach general availability
• ISO 27001 in progress, target aligned with launch milestones
• Aligned with CBUAE Technology Risk Management Guidelines
• Aligned with ADGM Data Protection Regulations 2021
• Aligned with DIFC Data Protection Law 2020

Vulnerability Management

[NAME] conducts quarterly penetration testing by independent third-party security firms. Critical and high-severity vulnerabilities are remediated within 24 hours and 7 days respectively. Customers are notified of issues that may affect their environment.

Incident Response

In the event of a security incident affecting customer data, [NAME] will notify affected customers within 72 hours of becoming aware of the breach, in compliance with applicable UAE data protection regulations. Our incident response plan is reviewed and tested annually.

Data Retention & Deletion

On contract termination, all customer data held within [NAME] infrastructure is securely deleted within 30 days. A deletion certificate is provided. Source data in customer-owned systems is never affected.

Security Contact

To report a security vulnerability or ask about our security programme, contact us via the contact page. For urgent security issues, please mark your message as "SECURITY" in the subject line.