Security & Trust

    Built to be verified, not just trusted.

    Most platforms ask you to take their security on faith. We'd rather show you exactly what is implemented today, what is in progress, and what is still on the roadmap — and give you the documents to check.

    Every claim on this page maps to code or a documented process. Where something is not done yet, we say so.

    What is true today

    Controls that are enforced in production right now — not aspirations.

    Encryption at rest

    Connection credentials and OAuth tokens are encrypted in the database with AES-256-GCM.

    Encryption in transit

    All traffic is served over HTTPS with HSTS (2-year, includeSubDomains, preload).

    Tenant isolation

    Every database query is scoped to a single tenant — no tenant can read another's data.

    Role-based access control

    Five roles, from super owner to viewer, are enforced server-side for every privileged action.

    PII redaction in logs

    Our logging pipeline redacts personal identifiers — emails, phone numbers, IBANs, and national IDs — before they reach application logs.

    Append-only audit trail

    Logins, role changes, billing, and data requests are recorded and retained for one year.

    Rate limiting

    A three-tier limiter protects login, API, and webhook surfaces from abuse.

    Webhook verification

    Inbound payment webhooks are verified before any billing state changes — by HMAC-SHA256 signature, or by a direct server-to-server query to the provider.

    Idempotency guards

    Idempotency keys prevent the same operation from being executed twice.

    Strong password hashing

    Passwords are hashed with bcrypt (cost factor 12); plaintext is never stored.

    Injection-safe queries

    Access to our own data store uses parameterized queries — request values are passed as bound parameters, not concatenated into SQL strings.

    Secrets isolation

    Encryption keys, database credentials, and provider tokens are stored as environment secrets, never committed to source code.

    Compliance posture, without the spin

    What we have earned, what is in motion, and what we have not done yet.

    ImplementedIn progressRoadmap
    Encryption (AES-256)
    Implemented

    AES-256-GCM at rest for sensitive fields; HTTPS + HSTS in transit.

    PDPL alignment
    Aligned

    Lawful basis, security controls, and data-subject rights (DSAR) are live. Sector-specific residency rules may add requirements.

    NCA ECC 1-2023
    Self-assessment

    Controls are mapped to the NCA Essential Cybersecurity Controls; many are enforced in code, governance documentation is in progress.

    Tenant isolation & RBAC
    Implemented

    Per-tenant query scoping and server-side role checks on every privileged route.

    SOC 2 Type II
    Roadmap

    Not yet audited. We will not display a SOC 2 badge until an independent audit is complete.

    ISO 27001
    Roadmap

    Targeted after SOC 2; the underlying control mapping work is already underway.

    SOC 2 Type II and ISO 27001 are on our roadmap — we are not yet audited, and we will not display a badge we have not earned. Ask us for our current control mapping (NCA ECC 1-2023) and we will share it.

    Data residency, stated plainly

    We tell you exactly where your data lives — no vague assurances.

    Today (standard hosting)

    Exomations runs on managed cloud infrastructure in US-region data centers. Your data is logically isolated per tenant and sensitive fields are encrypted with AES-256-GCM. This setup is designed to align with PDPL expectations for commercial data.

    For regulated sectors (government, banking, health)

    We provision a dedicated KSA/GCC-region database as a contractual commitment — AWS Bahrain, Google Cloud Dammam, Oracle Jeddah, or a local sovereign cloud. The migration touches only the connection string; your data model is unchanged.

    We will not claim "your data never leaves the Kingdom" by default, because today it is US-hosted. We would rather state the truth and offer a clear path than market a promise we cannot keep.

    How we work

    The day-to-day practices behind the controls.

    Independent code review

    Major changes go through an independent architect review before they ship.

    Continuous scanning

    Dependency, SAST, and secrets scanning catch vulnerabilities early.

    Incident response

    Security incidents are tracked with a documented process aligned to PDPL breach-notification timelines (SDAIA, 72 hours).

    Durable audit record

    An append-only audit trail keeps a tamper-evident record of security-relevant events.

    Request the whitepaper or book an architect call

    Tell us what you need to verify. We will send our control documentation or set up a call with someone who built the platform.