Security & Compliance

Enterprise-grade protection

Built from the ground up with security, privacy, and compliance at the core. Your data deserves enterprise-grade protection.

GDPR Aligned

Data handling practices aligned with EU General Data Protection Regulation

GCC Compliance Ready

Built for regional requirements including HRDF, NAFIS, and Emiratisation tracking

SOC 2 Type II Readiness

Security controls designed to meet SOC 2 certification requirements

Enterprise SSO

Integrate with Azure AD, Okta, and other identity providers

Security Architecture

Defense in depth

Multiple layers of security controls protect your data at every level of the platform.

Data Protection

Enterprise-grade encryption and secure data handling

  • AES-256 encryption at rest and in transit
  • Signed webhook payloads for data integrity
  • Zero-trust architecture principles
  • Regular penetration testing and security audits
  • Secure key management and rotation
  • security.architecture.categories.dataProtection.features.5
  • security.architecture.categories.dataProtection.features.6
  • security.architecture.categories.dataProtection.features.7
  • security.architecture.categories.dataProtection.features.8
  • security.architecture.categories.dataProtection.features.9

Access Control

Role-based access with strict data isolation

  • Row-Level Security (RLS) at database layer
  • Organization-scoped data isolation
  • Principle of least privilege enforcement
  • SSO and MFA support for enterprise
  • Hierarchical access: see your branch, nothing outside
  • security.architecture.categories.accessControl.features.5
  • security.architecture.categories.accessControl.features.6
  • security.architecture.categories.accessControl.features.7
  • security.architecture.categories.accessControl.features.8
  • security.architecture.categories.accessControl.features.9

Privacy by Design

Built from the ground up to protect individual privacy

  • Aggregated reporting by default
  • Manager-Blind mode as standard (no individual scores)
  • Fully Anonymous mode for sensitive contexts
  • No unnecessary PII collection
  • GDPR-aligned data handling practices
  • Immutable anonymity modes (no retroactive exposure)
  • security.architecture.categories.privacyByDesign.features.6
  • security.architecture.categories.privacyByDesign.features.7
  • security.architecture.categories.privacyByDesign.features.8
  • security.architecture.categories.privacyByDesign.features.9

Audit & Compliance

Comprehensive logging and compliance evidence

  • Immutable audit logs for all actions
  • Complete data lineage and provenance
  • Export controls with role-based redaction
  • Evidence packs: hashed, timestamped, metadata-stamped
  • SOC 2 Type II readiness
  • security.architecture.categories.auditCompliance.features.5
  • security.architecture.categories.auditCompliance.features.6
  • security.architecture.categories.auditCompliance.features.7
  • security.architecture.categories.auditCompliance.features.8
  • security.architecture.categories.auditCompliance.features.9

Infrastructure

Enterprise-grade hosting and operations

  • Multi-tenant isolation at all layers
  • 99.9% uptime SLA target
  • Automated backups with point-in-time recovery
  • Disaster recovery procedures
  • Geographic data residency options
  • security.architecture.categories.infrastructure.features.5
  • security.architecture.categories.infrastructure.features.6
  • security.architecture.categories.infrastructure.features.7
  • security.architecture.categories.infrastructure.features.8
  • security.architecture.categories.infrastructure.features.9

Data Governance

Clear boundaries on what data we handle

  • Finalized assessment results only (no partial data)
  • No raw transcripts or audio in dashboards
  • Evidence accessible only through audit pathways
  • Assessment logic opaque to Intelligence Platform
  • Append-only data model for assessments
  • security.architecture.categories.dataGovernance.features.5
  • security.architecture.categories.dataGovernance.features.6
  • security.architecture.categories.dataGovernance.features.7
  • security.architecture.categories.dataGovernance.features.8
  • security.architecture.categories.dataGovernance.features.9

Data Handling Principles

What we receive

  • Finalized assessment results only
  • Enrollment and cohort data
  • Optional financial data for ROI
  • security.dataHandling.receive.items.3
  • security.dataHandling.receive.items.4
  • security.dataHandling.receive.items.5
  • security.dataHandling.receive.items.6
  • security.dataHandling.receive.items.7
  • security.dataHandling.receive.items.8
  • security.dataHandling.receive.items.9

What we never receive

  • ×Partial or in-progress assessments
  • ×Raw transcripts or audio recordings
  • ×Abandoned session data
  • ×security.dataHandling.neverReceive.items.3
  • ×security.dataHandling.neverReceive.items.4
  • ×security.dataHandling.neverReceive.items.5
  • ×security.dataHandling.neverReceive.items.6
  • ×security.dataHandling.neverReceive.items.7
  • ×security.dataHandling.neverReceive.items.8
  • ×security.dataHandling.neverReceive.items.9

Rule: "If a result can still change, the Intelligence Platform must not see it."

Have security questions?

We're happy to discuss our security architecture, compliance certifications, and how we protect your organization's data.

Talk to our team