Data residency & UAE PDPL compliance

1. Where your data lives

HIBR runs production infrastructure exclusively on Amazon Web Services in the me-central-1 region (Bahrain). This is the AWS region geographically closest to UAE customers and the one designated for Gulf-region data residency.

Why not AWS Dubai (me-south-1)?

AWS does not currently have a separately-named UAE region; me-central-1 (Bahrain) is the primary GCC region for AWS. AWS announced a planned UAE region but has not yet provided a launch date. When AWS UAE goes live and reaches feature parity with me-central-1, HIBR will migrate. Until then, Bahrain is the closest available compliance-grade region.

2. What never leaves the GCC region

The following customer data is hosted exclusively in AWS me-central-1 and never crosses the GCC boundary, under any circumstance:

• Customer business records — invoices, bills, journal entries, bank transactions
• Customer identity records — names, emails, phone numbers, addresses (yours, your customers', your suppliers')
• Employee records — Emirates IDs, MOHRE labour cards, IBANs, salaries
• Tax records — VAT 201 history, Corporate Tax filings, FTA correspondence
• Payment records — Stripe and UAE gateway transaction history
• Document attachments — receipts, contracts, PDFs, invoice attachments
• Database backups (encrypted, replicated to second AZ inside me-central-1)
• Application logs that contain customer data

What does cross borders (and why)

For full transparency, the following do leave the GCC region:

• Anonymized aggregate analytics — counts and percentages with no identifying information, used to operate the product (e.g., "X% of customers use feature Y"). No personal data.
• Operational metadata for global vendors — Stripe payment processing requires a payment-amount-and-method record to flow through Stripe's infrastructure. Stripe itself is PCI-DSS Level 1 certified and operates under its own data protection framework.
• AI Tax Co-pilot prompts (where opted in) — when you use the AI Tax Co-pilot, your specific question is sent to our LLM inference provider. Sensitive customer data (TRNs, names, amounts) is automatically redacted before transmission unless you explicitly disable redaction. The redaction layer is described in §4 below.

3. UAE PDPL compliance — clause-by-clause

UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law) is the binding privacy framework for any business processing UAE residents' personal data. Below: every material clause and how HIBR meets it.

4. Who can access your data inside HIBR

HIBR operates a strict access principle: the smallest possible number of people, with the smallest possible permission set, for the smallest possible window.

Standard customer support access

• Support engineers do not have default access to customer data.
• When you open a support ticket and explicitly grant access (via in-app permission grant), a named engineer gets time-bounded read access for 24 hours.
• Access is logged to an immutable audit trail. You can review who accessed your account, when, and what they viewed at any time from account settings.
• Without explicit per-ticket grant, even our CTO cannot see your invoice line items.

Emergency access (rare)

• For SEV-1 incidents threatening data integrity (e.g., a database corruption event), our on-call SRE may invoke "break-glass" access without per-customer consent.
• Break-glass access requires two-person authorization (the on-call SRE plus the CISO or designated alternate).
• Every break-glass event triggers automatic notification to affected customers within 24 hours, including who accessed what and why.
• Break-glass events are documented in the quarterly Trust Report.

Government access requests

• HIBR responds to lawful UAE government data requests only when accompanied by a valid court order, FTA enforcement notice, or equivalent legal instrument.
• We do not respond to informal requests, phone calls, or unverified communications.
• When legally permitted, we notify the affected customer before disclosure.
• An anonymized transparency report is published annually documenting the number and nature of requests received.

AI Tax Co-pilot data handling

When you use the AI Tax Co-pilot:

• Your question text is automatically scanned for sensitive identifiers (TRN, Emirates ID, IBAN, names, exact amounts) before transmission to the inference provider.
• Identified sensitive data is replaced with placeholders ({TRN_1}, {NAME_1}, etc.) before the prompt leaves our infrastructure.
• The inference provider never sees raw customer data.
• The response is post-processed to restore the original identifiers locally inside our perimeter.
• Customers can disable AI Tax Co-pilot entirely if they prefer to keep all processing internal — at the cost of losing the feature.

5. Encryption — at rest and in transit

• In transit: TLS 1.3 mandatory. TLS 1.2 fallback allowed only for older bank-feed integrations where the bank's gateway still requires it; documented per integration.
• At rest: AES-256 server-side encryption on all database storage and S3 object storage. AWS KMS-managed keys with annual rotation.
• Backups: Same AES-256 encryption, separate KMS keys.
• Customer-managed keys (CMK): Available on Enterprise tier — customer supplies their own KMS key, HIBR uses it for that customer's data encryption. Revoking the key effectively renders the customer's data unreadable without our involvement.

6. Your data export rights

You own your data. We hold it in trust. The right to leave with everything intact is non-negotiable.

• Self-service export: Available 24/7 from account settings. Formats: CSV, JSON, PDF.
• Full database export: One-click full-data download (compressed archive) within 24 hours of request.
• Document attachments: Bulk download with manifest mapping each file to its parent record.
• Format documentation: Schema documented publicly — you can build your own re-import tool if you ever want to.
• No export fee, ever. Even on cancelled accounts during the 90-day post-cancellation window.

7. Deletion & retention

When you delete your account or specific records:

• Day 0: Data marked deleted. Removed from your view immediately. Soft-deleted internally, recoverable.
• Day 1–89: Recovery period. You can reactivate the account and restore data via support.
• Day 90+: Hard delete from primary database. Backups retain the data for the remainder of the backup retention period.
• Backup expiry: Soft-deleted data falls out of backups within 30 days (point-in-time) or 12 months (monthly snapshots).
• Statutory retention overrides: VAT records, Corporate Tax records, and WPS payroll records are retained for 5 years from creation date per FTA Decision 2/2019 and Federal Tax Authority requirements. After 5 years, they are hard-deleted unless you request earlier deletion (you may face FTA penalties for early statutory-record deletion — we will warn you).

8. Subprocessors list

HIBR uses the following subprocessors, each with a documented Data Processing Agreement. The full list is maintained at this page and updated within 30 days of any change.

9. Independent audit & certification roadmap

Trust is verified, not asserted. HIBR's path to formal certifications:

• Q4 2026: Production launch. Internal compliance framework operational.
• Q1 2027: SOC 2 Type 1 audit kickoff with an accredited auditor.
• Q2 2027: SOC 2 Type 1 report published.
• Q4 2027: SOC 2 Type 2 (12-month operational period).
• 2028: ISO 27001 audit and certification.
• Continuous: Penetration testing every 6 months by an independent firm. Reports summarized publicly; full reports available to Enterprise customers under NDA.

The detailed audit + certification timeline is documented at /erp/security/audit/.