Compliance data
deserves better than most.
We handle regulated artifacts — risk registers, gap assessments, PII-adjacent baselines. Everything below is how we treat that responsibility. Not marketing language — the actual controls.
Four things we get right.
The basics, done thoroughly. No security theater — every item below is enforced technically, not just written down.
Encryption everywhere
AES-256 at rest. TLS 1.3 in transit. Customer-managed keys on Enterprise. Keys rotated every 90 days. Nothing plaintext — not even in our own backups.
Least-privilege access
SSO via SAML/OIDC. Role-based access control. MFA required on every account. Break-glass access is logged and alerted — no silent production entry.
Regional data residency
KSA / UAE region for Growth. Dedicated in-region deployment (KSA or UAE) for Enterprise. Your data doesn't leave your chosen region, period.
Evidence trail
Every agent action, every artifact change, every access — written to an append-only audit log. Streamed to your SIEM via webhook. You can prove what happened.
Your data, end to end.
Here's every hop your information makes between "you typed something" and "an agent produced an answer."
Data flow diagram
Input is isolated per tenant. Model calls are scope-guarded. Outputs never back-propagate into provider training sets.
You
NibraSec Tenant
Model provider
What's actually in place.
Grouped by domain. Mapped to ISO 27001 Annex A, SOC 2 Trust Services Criteria, and PDPL KSA requirements.
Data protection
- AES-256 at rest (KMS-managed keys)
- TLS 1.3 minimum, PFS ciphers only
- Customer-managed keys (Enterprise)
- 90-day key rotation
- Field-level encryption for PII
- Hardware-backed HSM for key custody
Access control
- SSO via SAML 2.0, OIDC
- Mandatory MFA (TOTP or FIDO2)
- RBAC — 6 preset roles, custom scopes
- Session timeout & device binding
- Break-glass access with auto-expiry
- IP allowlisting (Enterprise)
Application security
- OWASP ASVS Level 2 coverage
- Weekly SAST (CodeQL / Semgrep)
- Daily DAST on staging
- Quarterly third-party pen-tests
- Bug bounty program (Intigriti)
- Signed commits & artifacts (cosign)
Infrastructure
- Multi-AZ deployment, auto-failover
- Infrastructure as code (Terraform)
- Immutable containers, signed images
- Network segmentation + mTLS
- DDoS protection (Cloudflare Magic)
- Runtime threat detection (Falco)
Incident response
- 24/7 on-call rotation
- 72h customer notification SLA
- Tabletop exercises quarterly
- Documented runbooks (public excerpts)
- PagerDuty integration
- Post-mortem public disclosure
AI & model security
- Prompt-injection defense battery (OWASP LLM-01)
- Scope-guard enforcement (server-side)
- Zero-retention model provider config
- Response citation validation
- Refusal on hallucinated citations
- Red-team evaluation set (330 prompts)
Numbers we publish.
Live from our status page. Updated every minute. status.nibrasec.com →
Who touches your data.
We maintain a complete register of every sub-processor — what they do, where they run, and their compliance posture. The full list is shared under NDA as part of our security pack.
Want the complete security package?
Full technical whitepaper, pen-test executive summary, DPA template, sub-processor list and questionnaire responses (CAIQ, SIG). Shared under NDA.
Talk to a human about your threat model.
Regulated industry, bespoke deployment, custom data residency — we answer these every week. Fifteen-minute chat, no pitch.