Security & trust

Compliance software, designed like the audit will be tomorrow.

Watin holds the financial records of over 12,000 UAE businesses. Here is exactly how we keep them safe, who can access them, and what we'd hand to your auditor if you asked.

SOC
SOC 2 Type IIAudited Q1 2026
ISO
ISO 27001Certified Sep 2025
PD
UAE PDPLFederal Decree-Law No. 45
FTA
FTA-accredited ASPID ASP-2024-0142
GDPR
EU GDPRFor our EU-based customers
01 · Pillars

Four principles, no exceptions.

Watin's security posture comes back to four ideas. Every product decision passes through them; every engineer onboards on them.

PILLAR 01

Encrypt everything, twice

Your data is encrypted in transit and at rest. Sensitive fields get a second layer of envelope encryption with per-tenant keys.

  • TLS 1.3 end-to-end · HSTS preload
  • AES-256-GCM at rest
  • Envelope encryption for TRNs, bank tokens
  • Keys in AWS CloudHSM · Bahrain region
  • Quarterly key rotation, zero downtime
PILLAR 02

Least privilege, always

Watin staff cannot read your data by default. Every privileged action is logged, reviewed, and time-bounded.

  • SSO + hardware-key 2FA mandatory
  • Just-in-time prod access · 60-min expiry
  • Two-person review for any data export
  • SCIM-managed role grants
  • Tamper-evident audit log of every grant
PILLAR 03

Data stays in the UAE

UAE customer data is processed and stored on UAE-region infrastructure. Backup replicas stay in the GCC.

  • Primary: AWS me-central-1 (Dubai)
  • Backup: AWS me-south-1 (Bahrain)
  • No cross-border transfers without DPA
  • Optional EU tenant routing
  • PDPL Article 22 compliant by default
PILLAR 04

Auditable by you, not us

You decide. Every event in Watin is in your tamper-evident log, exportable as a signed PDF or NDJSON for your auditors.

  • Per-tenant hash-chained audit log
  • Export as signed PDF + NDJSON
  • 7-year retention by default
  • Customer-initiated key revoke (kill switch)
  • Annual PT report shared with customers under NDA
PILLAR 05

Backups you can actually restore

Backups don't count unless they're tested. We restore from production into a clean environment every Friday, automatically.

  • Point-in-time recovery, 35-day window
  • Weekly automated restore drill
  • RPO 5 minutes · RTO 60 minutes
  • Cross-region replicas in Bahrain
  • Customer-side data export anytime
PILLAR 06

Incident response, transparent

Any P0 incident touching customer data is communicated within 4 hours and reviewed publicly in our post-mortem index.

  • 4-hour customer notification SLA
  • 72-hour PDPL/GDPR regulator notification
  • Public post-mortem within 14 days
  • On-call rotation 24/7, 365 days
  • Annual tabletop exercise with auditors
02 · Architecture

How a request is handled.

From your browser to your data, six layers stand between an attacker and a single AED of recorded revenue.

Defence in depth

Each layer is independently logged, monitored, and has its own incident escalation. Compromise one and the next still stands.

  • EdgeCloudflare WAF · DDoS L3/L7 · bot fingerprint · rate-limited per TRN
  • IdentityOIDC · WebAuthn · SCIM-managed roles · TOTP / hardware key
  • ServicemTLS between services · short-lived JWTs · zero-trust mesh
  • DataPer-tenant logical isolation · field-level encryption for TRN, IBAN
  • KeysAWS CloudHSM · split between tenancy KMS & FTA CSID HSM
  • AuditHash-chained log · every privileged action signed & replicated
Your browser · Watin appTLS 1.3
↓ HSTS preload ↓
Cloudflare edge · WAF + DDoSL3/L7
↓ signed JWT ↓
Watin API gatewaymTLS, mesh-internal
↓ tenant-scoped ↓
Postgres · field-encryptedme-central-1 (Dubai)
↓ envelope keys ↓
CloudHSM · keys never leaveFIPS 140-2 L3
03 · Certifications

Independently audited.

Reports are available under NDA via your sales contact. Customers on Growth and above can self-serve from inside the app.

SOC

SOC 2 Type II

Trust-services criteria across Security, Availability and Confidentiality. Audited annually by Prescient Assurance.

Issued · 14 Feb 2026Request
ISO

ISO/IEC 27001:2022

Information security management system. Certified by BSI Group, scoped to all Watin production systems.

Issued · 29 Sep 2025Request
PDPL

UAE PDPL Conformance

Self-assessed against Federal Decree-Law No. 45 of 2021. Independent gap analysis by Al-Tamimi & Co.

Reviewed · Jan 2026Letter
FTA

FTA-accredited ASP

Listed in the FTA's Accredited Service Provider directory under ID ASP-2024-0142. Renewed annually.

Issued · 12 Aug 2025Verify
04 · Subprocessors

Who else touches your data.

Eleven subprocessors, all bound by DPA. The full list is public — we update this page before adding anything new.

Subprocessor
Purpose
Data region
Since
AWSAmazon Web Services EMEA
Compute, storage, KMS / CloudHSM
UAE (me-central-1) + Bahrain
2023
CloudflareCloudflare Inc.
Edge, WAF, DDoS protection
Global anycast · UAE PoP primary
2023
PostmarkActiveCampaign Inc.
Transactional email delivery
EU (Frankfurt)
2023
TwilioTwilio Inc.
SMS / WhatsApp 2FA
EU (Ireland)
2023
StripeStripe Payments Europe
Watin subscription billing
EU (Ireland)
2023
DatadogDatadog Inc.
Application monitoring (metadata only)
EU (Frankfurt)
2024
SnowflakeSnowflake Inc.
Internal product analytics
EU (Frankfurt) · pseudonymised
2024
Plaid & bank API partnersVarious
Bank-feed connectors
Per partner · OAuth-scoped
2024
PersonaPersona Identities Inc.
KYC / KYB onboarding checks
UAE / EU regional shards
2024
LinearLinear Orbit Inc.
Customer-facing support tickets
EU (Frankfurt) · metadata only
2024
PagerDutyPagerDuty Inc.
On-call rotation, no PII
EU (Frankfurt)
2025
05 · Vulnerability program

We pay for bugs.

Bug bounty + annual penetration test

Watin runs a private bug-bounty program with HackerOne and a yearly third-party penetration test. We disclose findings quarterly, fix critical issues within 48 hours, and publish a summary post-mortem.

Researchers acting in good faith are covered by our safe-harbour policy. Report any vulnerability to security@watin.ae — encrypted with our PGP key.

Critical SLA
48 hrs
Patched and deployed
High SLA
7 days
Patched and deployed
Open critical / high
0
As of 14 May 2026
Last pen-test
Q1 26
By Cure53 · 0 criticals
06 · For auditors & legal

Documents, in one place.

Legal

Data Processing Addendum

Module-2 SCCs & PDPL Article 22 transfer mechanism. Counter-signature in < 48 hours.

v3.2 · Mar 2026
Compliance

Trust-services report

SOC 2 Type II report from Prescient Assurance covering 14 months ending Jan 2026.

Under NDA
Compliance

ISO 27001 Statement of Applicability

Annex-A controls scoped to all Watin production systems, certified by BSI.

Public
Architecture

Network diagram + flow narrative

Up-to-date production architecture and the per-request data-flow narrative for your security review.

Under NDA
Operations

Business continuity & DR plan

RTO 60 minutes, RPO 5 minutes. Weekly automated restore drills logged.

Under NDA
Legal

Privacy policy

PDPL + GDPR compliant. Plain-English breakdown of every category of data we hold.

Public