Security & Trust

Compliance data
deserves better than most.

We handle regulated artifacts — risk registers, gap assessments, PII-adjacent baselines. Everything below is how we treat that responsibility. Not marketing language — the actual controls.

KSA PDPL
● Aligned
UAE PDPL
● Aligned
GDPR
● Aligned
SOC 2 Type II
◐ In progress · Q1 2027
ISO 27001
◐ In progress · Q1 2027
Pillars

Four things we get right.

The basics, done thoroughly. No security theater — every item below is enforced technically, not just written down.

Encryption everywhere

AES-256 at rest. TLS 1.3 in transit. Customer-managed keys on Enterprise. Keys rotated every 90 days. Nothing plaintext — not even in our own backups.

Least-privilege access

SSO via SAML/OIDC. Role-based access control. MFA required on every account. Break-glass access is logged and alerted — no silent production entry.

Regional data residency

KSA / UAE region for Growth. Dedicated in-region deployment (KSA or UAE) for Enterprise. Your data doesn't leave your chosen region, period.

Evidence trail

Every agent action, every artifact change, every access — written to an append-only audit log. Streamed to your SIEM via webhook. You can prove what happened.

How data moves

Your data, end to end.

Here's every hop your information makes between "you typed something" and "an agent produced an answer."

Data flow diagram

Input is isolated per tenant. Model calls are scope-guarded. Outputs never back-propagate into provider training sets.

v2.1 · Updated 2026-04-01

You

Chat prompt
Baseline answers
System inventory

NibraSec Tenant

TLS 1.3 gateway
Scope guard
Encrypted store
Audit logger

Model provider

Zero-retention endpoint
No training on output
BAA/DPA in place
1Input isolation. Every tenant has its own encrypted namespace. Two customers never share a database, queue, or vector index row.
2Scope guard. A service-side check enforces "answer only within purchased regulations & systems". Rejects prompts that try to widen scope.
3Zero retention. We call LLM providers with no-training headers. Provider cannot retain or fine-tune on your prompts.
4Evidence trail. Both prompt and response are logged to your tenant's audit log. Available via API/SIEM stream.
Controls

What's actually in place.

Grouped by domain. Mapped to ISO 27001 Annex A, SOC 2 Trust Services Criteria, and PDPL KSA requirements.

Data protection

  • AES-256 at rest (KMS-managed keys)
  • TLS 1.3 minimum, PFS ciphers only
  • Customer-managed keys (Enterprise)
  • 90-day key rotation
  • Field-level encryption for PII
  • Hardware-backed HSM for key custody

Access control

  • SSO via SAML 2.0, OIDC
  • Mandatory MFA (TOTP or FIDO2)
  • RBAC — 6 preset roles, custom scopes
  • Session timeout & device binding
  • Break-glass access with auto-expiry
  • IP allowlisting (Enterprise)

Application security

  • OWASP ASVS Level 2 coverage
  • Weekly SAST (CodeQL / Semgrep)
  • Daily DAST on staging
  • Quarterly third-party pen-tests
  • Bug bounty program (Intigriti)
  • Signed commits & artifacts (cosign)

Infrastructure

  • Multi-AZ deployment, auto-failover
  • Infrastructure as code (Terraform)
  • Immutable containers, signed images
  • Network segmentation + mTLS
  • DDoS protection (Cloudflare Magic)
  • Runtime threat detection (Falco)

Incident response

  • 24/7 on-call rotation
  • 72h customer notification SLA
  • Tabletop exercises quarterly
  • Documented runbooks (public excerpts)
  • PagerDuty integration
  • Post-mortem public disclosure

AI & model security

  • Prompt-injection defense battery (OWASP LLM-01)
  • Scope-guard enforcement (server-side)
  • Zero-retention model provider config
  • Response citation validation
  • Refusal on hallucinated citations
  • Red-team evaluation set (330 prompts)
Reliability

Numbers we publish.

Live from our status page. Updated every minute. status.nibrasec.com →

99.98%
Uptime · 90-day
Target: 99.9%
142
Minutes MTTR
Last 12 mo · median
0
Data incidents
Since launch
72h
Notification SLA
GDPR Art. 33 aligned
Subprocessors

Who touches your data.

We maintain a complete register of every sub-processor — what they do, where they run, and their compliance posture. The full list is shared under NDA as part of our security pack.

Want the complete security package?

Full technical whitepaper, pen-test executive summary, DPA template, sub-processor list and questionnaire responses (CAIQ, SIG). Shared under NDA.

Request security pack →
Questions?

Talk to a human about your threat model.

Regulated industry, bespoke deployment, custom data residency — we answer these every week. Fifteen-minute chat, no pitch.

security@nibrasec.com · PGP key available