QualityISO 9001:2015Quality management across product, support and CS.
Security & Compliance
Built like a bank. Audited like one too.
Your people data — payroll, contracts, biometric attendance, ID copies — is the most sensitive thing your company holds. ISO 9001 and ISO/IEC 27001 certified, hosted in the GCC, encrypted end-to-end. Here's exactly how we protect it.
Independently audited
Issued by accredited third-party auditors, renewed annually, with statements of applicability and audit summaries available to enterprise customers on request.
InfoSecISO/IEC 27001End-to-end ISMS with annual external audits.
PrivacyPrivacy by DesignSubject rights, DPA on request, 72-hour breach notice.
Resilience99.98% Uptime SLAGeo-redundant GCC hosting with 24×7 monitoring and RPO 15 min.
Defence in depth
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Customer-managed keys (CMK) on Enterprise plans.
- HSM-backed key storage
- Per-tenant encryption keys
- Encrypted backups
Identity & access
Role-based access control, granular permission rules, just-in-time elevation and full session audit trails.
- Per-tenant access policies
- Strong password & lockout rules
- Session anomaly detection
Network & infra
Private VPCs, WAF, DDoS protection, isolated tenant boundaries and 99.98% uptime SLA.
- Geo-redundant GCC hosting
- RPO 15m / RTO 1h
- 24×7 SOC monitoring
Application security
Continuous SAST/DAST, dependency scanning, annual penetration testing by an independent firm.
- Bug bounty programme
- Code review & CI gates
- Threat modelling per release
Data privacy by default
Data minimisation, purpose limitation, customer-controlled retention. Tools to honour subject rights in clicks.
- One-click data export
- Right-to-erasure workflow
- Region-locked data residency
Incident response
24×7 on-call, runbooks tested quarterly, customer notice within 24 hours, regulator notice within 72.
- Status page & live updates
- Forensic-quality logs
- Postmortems published
Full transparency on our supply chain
We publish every sub-processor with role and country. We notify you 30 days before any change.
| Sub-processor | Purpose | Region | Compliance |
|---|---|---|---|
| AWS — Bahrain | Primary application hosting | BH | ISO 27001, SOC 2, PCI-DSS |
| Cloudflare | WAF, DDoS, CDN | Global | ISO 27001, SOC 2 |
| SendGrid | Transactional email | US/EU | SOC 2 |
| Stripe | Billing & tax | Global | PCI-DSS Level 1 |
| Datadog | Infra monitoring | EU | SOC 2, ISO 27001 |
Need a deeper review?
Request our full Trust Pack — penetration test summary, ISO 27001 statement of applicability, vendor risk assessment, and architecture diagrams.