Data security FAQ

1. Where is recipient data stored?

EU-region data centers (Frankfurt, Amsterdam) for EU clients; UAE data center for UAE clients per PDPL. Encrypted at rest (AES-256), in transit (TLS 1.3).

2. How long is data retained?

Recipient PII retained only as long as production requires (typically 30-60 days), deleted within 90 days of order completion. Aggregate non-PII metrics retained 7 years for accounting.

3. Are you GDPR-compliant?

Yes. Data Processing Agreement (DPA) signed at contract. ROPA (record of processing) on request. Sub-processor list published. DPO contact: dpo@.

4. UAE PDPL compliance?

Yes for UAE clients. Local data residency in UAE region. Data subject rights handled per Federal Decree-Law No. 45 of 2021.

5. Do you do penetration testing?

Yes. Annual external pen test by Tier-1 firm; quarterly internal vulnerability scan; CVE patching SLA of 7 days for critical, 30 days for high. Reports available under NDA.

6. Are you ISO 27001 certified?

In progress, target 2026. We currently follow ISO 27001 controls and undergo annual gap assessment by external auditor.

7. How do you handle data breaches?

Incident response plan with 72-hour breach notification per GDPR Article 33. Tabletop exercises run quarterly. Cyber insurance covers $5M+.

8. Can we audit your security?

Yes. We provide SOC 2 Type II reports under NDA (audit covers our hosting and tooling vendors). Direct facility audits can be arranged within 14 days.