AES-256 encryption at rest across all data stores

TLS 1.3 in transit — no exceptions for internal services

Field-level encryption for sensitive disclosures and financial data

Encryption key management via Azure Key Vault with BYOK option

SAML 2.0 and OIDC SSO — compatible with Entra ID, Okta, Ping

Role-based access control enforced at the API layer

Separation of duties baked into all governance workflows

MFA mandatory for all admin and approver roles

Immutable audit log for every data change, approval, and export

SIEM integration via Azure Sentinel — alerts on anomalous access

Session recording available for enterprise tier

30-day log retention standard; 7-year archive for regulated entities

Hosted on Microsoft Azure — EU West and UAE North regions

Multi-region failover with 99.9% uptime SLA

Dedicated tenant isolation — no shared database schemas

Penetration tested bi-annually by independent CREST-accredited firms

EU data never leaves EU-West Azure region by default

GCC clients served from UAE North — KSA compliance roadmap Q3 2026

Data residency confirmed in contractual DPA at onboarding

No data shared with third parties or used for model training

RPO: 1 hour | RTO: 4 hours — tested quarterly

Automated daily backups with geo-redundant storage

Disaster recovery runbook available to enterprise clients

Incident response SLA: P1 acknowledged within 30 minutes