Sovereign hosting
Every deployment runs in operator-country compute. Encryption keys, signing certs, biometric templates — operator-owned.
Company · Trust & Compliance
We claim only what we hold.
Security and compliance certifications appear on this page once the audit is complete. UAE PDPL + GDPR posture is live today; ISO 27001 + SOC 2 + PCI DSS are engineered-for and tracked.
Posture at a glance
Engineered to a sovereign-IT bar from day one.
100%
Data residency in operator country
0
Vendor backdoors or break-glass
24×7
SRE + security operations
30d
Median DSAR resolution
What we hold today
Live compliance posture.
UAE Personal Data Protection Law (PDPL) — DPO appointed, lawful basis declared, DSAR runbook live. EU GDPR — granular cookie consent (Cookiebot), data-subject rights honored regardless of jurisdiction, controller-of-record clarified per workload.
Architecture
Security primitives, not slogans.
These are platform-layer guarantees enforced by code, not policy documents asking the operator to comply.
Audit-immutable logs
Every privileged access logged to append-only storage. Logs queryable by the regulator without 888 in the loop.
RBAC + workflow
Seven roles × seven content sections × three locales. Draft → review → approve → publish. Per-locale sign-off gates.
Microsoft 365 + Azure AD SSO
All admin access via tenant-managed identity. 2FA enforced at the IdP level; no local-only credentials in production.
Open redirect + XSS hardening
All redirects validated against an accept-list. CSP nonce per request. Input zod-schema-validated at API edge.
Rate limiting + bot mitigation
AI endpoints rate-limited per user + IP. Public forms protected by Cloudflare Turnstile + honeypot.
Cryptography
TLS 1.3 only, HSTS preload, AES-256 at rest. Post-quantum-ready: BYOK supported on the platform.
Supply chain
SBOM produced on every build. SLSA-aligned CI provenance. Dependencies pinned with vulnerability scanning.
Backup + DR
RDS Multi-AZ with PITR. Documented restore runbook with quarterly drills. RTO < 1h, RPO < 5min.
Data residency
Operated where the law lives.
Production data lives in AWS me-central-1 (Dubai) for UAE-domiciled engagements. For Ethiopian, GCC, and other-jurisdiction engagements, we deploy in the regulator-designated region or in a sovereign cloud per the engagement contract.
No production data leaves the operator country without an explicit contractual carve-out approved by the operator's Data Protection Officer. Replication, backups, and observability all stay in-region.
Future certifications
On the roadmap, not on the page.
ISO 27001 — controls implemented to the standard; observation period scheduled. SOC 2 Type II — observation period planned alongside ISO 27001. PCI DSS — scoped to NPS + 888 Pay; gap assessment complete, remediation underway.
We will publish the certificate scopes, audit dates, and any non-conformities the moment they're issued. Until then, this page intentionally does not carry the badges.
Data subject rights
30-day median resolution. Identity-verified intake.
Submit access, correction, deletion, restriction, portability, or objection requests via /legal/data-requests. We verify identity via email round-trip plus last-interaction proof. Median resolution: 30 days. Complex requests may extend by 30 days with notice.
Certification timeline · transparency
What's certified, what's tracked, what's pending.
ISO 27001: controls in production since Q3 2025 · external observation period commenced Q1 2026 · certification target Q3 2026.
SOC 2 Type II: observation period commenced Q1 2026 · certification target Q4 2026.
PCI DSS: scoped to the National Payment System and 888 Pay surfaces · gap assessment completed Q4 2025 · remediation underway · target Q1 2027.
UAE Personal Data Protection Law (PDPL): Data Protection Officer registered with the UAE Data Office; lawful-basis registry maintained continuously; DSAR runbook live with median 30-day resolution.
Incident posture
Disclosure within 30 days. Postmortems shared with regulators.
Material security incidents are disclosed to NDA-bound investors and impacted operators within 30 days of detection. Postmortems shared with the operator's regulator. No incident has occurred to date that meets this threshold; this is the operating procedure for when one does.
Need our compliance documentation?
Procurement teams, regulators, and auditors — request our security architecture overview, data-flow diagrams, SBOM, and incident-response runbook. Standard mutual NDA via DocuSign; turnaround under 48 hours.
