Most platforms ask you to take their security on faith. We'd rather show you exactly what is implemented today, what is in progress, and what is still on the roadmap — and give you the documents to check.
Every claim on this page maps to code or a documented process. Where something is not done yet, we say so.
Controls that are enforced in production right now — not aspirations.
Connection credentials and OAuth tokens are encrypted in the database with AES-256-GCM.
All traffic is served over HTTPS with HSTS (2-year, includeSubDomains, preload).
Every database query is scoped to a single tenant — no tenant can read another's data.
Five roles, from super owner to viewer, are enforced server-side for every privileged action.
Our logging pipeline redacts personal identifiers — emails, phone numbers, IBANs, and national IDs — before they reach application logs.
Logins, role changes, billing, and data requests are recorded and retained for one year.
A three-tier limiter protects login, API, and webhook surfaces from abuse.
Inbound payment webhooks are verified before any billing state changes — by HMAC-SHA256 signature, or by a direct server-to-server query to the provider.
Idempotency keys prevent the same operation from being executed twice.
Passwords are hashed with bcrypt (cost factor 12); plaintext is never stored.
Access to our own data store uses parameterized queries — request values are passed as bound parameters, not concatenated into SQL strings.
Encryption keys, database credentials, and provider tokens are stored as environment secrets, never committed to source code.
What we have earned, what is in motion, and what we have not done yet.
AES-256-GCM at rest for sensitive fields; HTTPS + HSTS in transit.
Lawful basis, security controls, and data-subject rights (DSAR) are live. Sector-specific residency rules may add requirements.
Controls are mapped to the NCA Essential Cybersecurity Controls; many are enforced in code, governance documentation is in progress.
Per-tenant query scoping and server-side role checks on every privileged route.
Not yet audited. We will not display a SOC 2 badge until an independent audit is complete.
Targeted after SOC 2; the underlying control mapping work is already underway.
SOC 2 Type II and ISO 27001 are on our roadmap — we are not yet audited, and we will not display a badge we have not earned. Ask us for our current control mapping (NCA ECC 1-2023) and we will share it.
We tell you exactly where your data lives — no vague assurances.
Exomations runs on managed cloud infrastructure in US-region data centers. Your data is logically isolated per tenant and sensitive fields are encrypted with AES-256-GCM. This setup is designed to align with PDPL expectations for commercial data.
We provision a dedicated KSA/GCC-region database as a contractual commitment — AWS Bahrain, Google Cloud Dammam, Oracle Jeddah, or a local sovereign cloud. The migration touches only the connection string; your data model is unchanged.
We will not claim "your data never leaves the Kingdom" by default, because today it is US-hosted. We would rather state the truth and offer a clear path than market a promise we cannot keep.
The day-to-day practices behind the controls.
Independent code review
Major changes go through an independent architect review before they ship.
Continuous scanning
Dependency, SAST, and secrets scanning catch vulnerabilities early.
Incident response
Security incidents are tracked with a documented process aligned to PDPL breach-notification timelines (SDAIA, 72 hours).
Durable audit record
An append-only audit trail keeps a tamper-evident record of security-relevant events.
Tell us what you need to verify. We will send our control documentation or set up a call with someone who built the platform.