Security & Trust
Transparent about what we have — and what we’re still building.
Compliance buyers rightly ask hard questions. This page documents where we are today, what’s coming, and how we handle your data. If something you need isn’t listed, email alulaq2@yahoo.com and we’ll respond within one business day.
Certification Status
Where we are today
SOC 2 Type II
Preparation in progress — not yet certified
We’re actively implementing SOC 2 Type II controls with an independent auditor. Target completion is in progress. We don’t claim certification until we have it; until then, we can share our draft controls documentation and readiness roadmap with qualified buyers under NDA.
ISO 27001
Roadmap item
ISO 27001 certification is on our post-SOC-2 roadmap. Our security program is structured around ISO 27001 domains so the future audit is a documentation exercise, not a re-architecture.
GDPR & CCPA
Compatible data handling by design
Our data model, retention policies, and sub-processor handling are designed to meet GDPR and CCPA obligations. Full DPA (Data Processing Addendum) template is available on request.
Technical Controls
What we do with your data
Encryption
At rest & in transit
TLS 1.3 for data in transit; AES-256 for data at rest. PII fields use application-layer encryption with per-tenant keys.
Tenant isolation
Multi-tenant with per-tenant keys
Logical isolation at database, object-storage, and search-index layers. Per-tenant encryption keys mean a credential leak in one tenant cannot decrypt another’s data.
Audit log
Tamper-evident hash-chained audit trail
Every decision, override, and data access is written to an append-only audit log with hash-chained integrity. Designed for regulator inspection.
Incident response
Documented, rehearsed, and reportable
Published incident-response policy with notification SLAs. Customer notification within 24 hours of confirmed material incident; status page for operational events.
Sub-processors & Data Partners
Who touches your data
Compliance buyers need to know which underlying providers power screening. We aggregate data from a curated partner network for sanctions data, corporate registry lookups, document verification, and biometric liveness. Some partners are contractually confidential during our pre-launch phase; the full sub-processor list is available to qualified buyers under NDA.
Public infrastructure providers
- Cloud infrastructure — primary region EU-West, with in-region processing guarantees for EU customers
- Observability & logging — self-hosted, with aggregated metrics only leaving our environment
- Email transactional delivery — industry-standard provider, no PII in message bodies
Data & verification partners (confidential list)
Sanctions-data aggregator, corporate-registry data provider, document-verification engine, biometric liveness provider, adverse-media NLP feed. Specific vendor names disclosed under NDA during commercial discussions. If your procurement process requires pre-disclosure, email alulaq2@yahoo.com.
Need the full security package?
DPA, draft SOC 2 controls matrix, sub-processor list, penetration-test summary, and incident-response policy are all available to qualified buyers.