HIBR ERP security & compliance: how we protect your business data

1. Data residency — AWS me-central-1 (Bahrain)

All HIBR ERP customer data — your ledger, your invoices, your receipts, your customer and supplier records, your audit trail — lives in AWS me-central-1, the Middle East region physically located in Bahrain. AWS classifies me-central-1 as MENA and operates it under Bahraini and GCC jurisdiction. Network round-trip from anywhere in the UAE to me-central-1 is sub-20 milliseconds — performance is identical to UAE-resident hosting.

Cross-region disaster recovery replicates encrypted snapshots to AWS eu-west-1 (Ireland), refreshed daily. The eu-west-1 replica is encrypted with a separate set of customer master keys and is used only for disaster recovery — it is not queried during normal operation. The lawful basis for the cross-border transfer is Standard Contractual Clauses (SCCs) with AWS, as the appropriate safeguard under UAE PDPL Federal Decree-Law 45/2021FDL 45/2021 Article 22.

2. Encryption — AES-256 at rest, TLS 1.3 in transit

At rest: Every byte of customer data is encrypted with AES-256-GCM — the database, all backups, file storage (invoices, receipts, attachments in AWS S3), and the message queues used for asynchronous processing. Encryption keys are managed in AWS KMS with one Customer Master Key (CMK) per customer per environment. Keys are rotated every 90 days automatically; you can also force-rotate from your security settings.

In transit: Every connection to HIBR ERP — browser, mobile app, API, webhooks — uses TLS 1.3 only. We do not accept TLS 1.2 fallback. The TLS configuration scores A+ on SSL Labs and is validated weekly by an automated certificate-transparency monitor.

Field-level encryption (envelope encryption) protects highly-sensitive PII fields: employee salaries, Emirates ID numbers, IBANs, bank account numbers, and credit card last-four. These fields are encrypted with a separate per-customer Data Encryption Key (DEK), which is itself encrypted by the CMK. Result: even HIBR engineers cannot read these fields without an audited key-access request, and every key-access request is logged immutably to the customer's own audit trail. You can see who accessed what, and why.

3. Audit trail — immutable hash chain, 7-year retention

Every record change is written to an immutable, hash-chained audit log. Each entry contains:

• User identity (authenticated user, session ID, source IP)
• Timestamp in UTC and Gulf Standard Time
• Before / after values with field-level diff
• Action type (create, update, void, delete-attempted, document-uploaded, permission-changed, API-call, export-requested)
• SHA-256 hash linking to the previous entry — tampering with any entry breaks the chain visibly

Retention by tier — comfortably exceeding the FTA's 5-year VAT record-keeping requirement under Federal Decree-Law 8/2017FDL 8/2017 and the 7-year CT requirement under Federal Decree-Law 47/2022FDL 47/2022:

4. Backups — hourly, daily, monthly, cross-region replica

We assume that any system can fail. So we built backups before we built features.

• Hourly snapshots of the primary database, retained 48 hours, stored encrypted in S3 me-central-1
• Daily full backups, retained 30 days, encrypted with separate keys
• Monthly archival backups, retained 7 years (Lite/Pro) or 10 years (Enterprise)
• Cross-region encrypted replica to eu-west-1 (Ireland), refreshed daily
• Monthly restore drills executed by the IT Backup & Recovery agent — a real backup is restored to a clean staging environment and integrity-checked, every month, with the result logged to a public-facing report

Recovery objectives: RPO ≤ 1 hour (recovery point), RTO ≤ 4 hours (recovery time). Both targets are validated quarterly by full-scale recovery exercises.

5. Authentication — SSO, magic-link, MFA, passkeys on the roadmap

Authentication options scale with tier:

• All tiers: passwordless magic-link email login, TOTP-based MFA (Google Authenticator, Authy, 1Password), device fingerprinting with suspicious-login alerts
• Pro and Enterprise: WhatsApp-based MFA as a regional alternative to TOTP (since WhatsApp has wider UAE adoption than authenticator apps)
• Enterprise: SSO via SAML 2.0 and OIDC — Google Workspace, Microsoft Entra ID (Azure AD), Okta, OneLogin; SCIM provisioning for user lifecycle automation

Passkeys (FIDO2 / WebAuthn) ship on the GA roadmap — beta customers can opt in to early-access passkey support before GA. Passkeys are the long-term replacement for passwords and MFA, eliminating phishing risk entirely.

6. Role-based access control + field-level encryption

Every HIBR ERP user is assigned one or more roles — Owner, Admin, Accountant, Sales, POS Operator, Inventory Manager, Read-Only Auditor. Each role has a default permission matrix that you can override per user. Enterprise customers can define custom roles with field-level granularity.

PII fields are encrypted separately from the main database using envelope encryption with a per-customer DEK. Fields covered: employee salaries (visible to Owner and HR Admin only), Emirates ID numbers, IBANs, bank account numbers, partial credit card numbers. Even a database administrator inside HIBR cannot decrypt these fields without going through the key-access workflow — which writes to your customer-owned audit trail before the decryption is allowed.

Every administrative action by HIBR staff on a customer's data is logged to the customer's own audit log, not just to ours. You see what we did, when, and why.

7. Certifications path — ISO 27001 + SOC 2 + FTA listing

We do not claim certifications we do not yet hold. Here is the precise status as of May 2026:

In the interim — and permanently, even after certifications are in place — HIBR operates to the ISO 27001:2022 control set as the operating standard, with quarterly third-party penetration testing and annual security assessments. Beta customers can request the current pentest summary and SOC 2 readiness report under NDA.

8. AML / CFT — Targeted Financial Sanctions screening

Under Cabinet Decision 74/2020CD 74/2020 and the UAE's broader AML/CFT regime, certain UAE businesses (DNFBPs — Designated Non-Financial Businesses and Professions) must screen customers and counterparties against sanctions lists and report suspicious transactions to the FIU. HIBR ERP automates the screening side of this obligation.

Lists screened in real time at customer/supplier creation and at every transaction:

• UAE Local Terrorist List — maintained by the Executive Office for Anti-Money Laundering and Counter-Terrorism Financing
• UN Security Council Consolidated List — UNSC sanctions
• OFAC SDN List — US Treasury Office of Foreign Assets Control Specially Designated Nationals
• UK HMT, EU, and other major jurisdiction lists for businesses with international exposure

Lists are refreshed at the source frequency (UAE list updates trigger near-real-time refresh; UN, OFAC, and EU refresh daily). Matches are flagged in your dashboard with a "fuzzy-match score" and recommended next action. Filing Suspicious Activity Reports (SAR) and Suspicious Transaction Reports (STR) to the UAE FIU goAML portal is on the roadmap for Q4 2026 — Enterprise customers can request early access if they are operating in DNFBP-regulated activities.

9. PDPL compliance — Federal Decree-Law 45/2021, every Article

HIBR ERP complies with Federal Decree-Law 45/2021FDL 45/2021 (UAE Personal Data Protection Law) on all five core operational obligations. We treat this as a living commitment, not a one-time checkbox:

The full PDPL Article-by-Article compliance statement is maintained internally and updated within 30 days of any regulatory change. Enterprise customers receive it as part of their Data Processing Addendum (DPA) at contract signature.

10. Penetration testing — annual third-party + quarterly automated

Annual third-party penetration test by an external offensive-security firm. Scope covers the web application, the mobile apps, the public API surface, and the underlying AWS infrastructure. Findings are tracked to closure in a public-facing CVE-style registry; beta customers can request the latest pentest summary under NDA.

Quarterly automated security scans: dependency vulnerability scanning (Snyk + npm audit + Trivy for containers), static application security testing (Semgrep + GitHub CodeQL), dynamic testing (OWASP ZAP authenticated scans against staging). All blocking findings must be closed before the next quarterly cycle starts.

HIBR runs a responsible disclosure programme at security@hibr.ai — researchers who report a verified vulnerability before exploitation receive credit on the HIBR security hall of fame and, for high-severity findings, a bug bounty (currently up to 25,000 per finding, scaling with severity). The full programme scope and rules of engagement are published at /security/disclosure.

11. Incident response — 24h SLA, public status page roadmap

Security incidents trigger a defined response protocol owned by the Security Incident Detector and the CISO:

• Detection — Sentry, log-tail anomaly detection, and cron-based threat detection run continuously; suspicious patterns page on-call within minutes
• Triage — within 1 hour of page, severity classified (Critical / High / Medium / Low)
• Communication — affected customers notified within 24 hours for any incident with confirmed customer data impact; within 72 hours for PDPL-reportable breaches
• Containment, eradication, recovery — per the documented incident response runbook
• Post-incident review — a blameless post-mortem is published to affected customers within 2 weeks, with root cause, timeline, and corrective actions

A public status page (status.hibr.ai) is on the GA roadmap with real-time uptime metrics for the API, the application, and dependent services (FTA EmaraTax submission endpoint, ClearTax PEPPOL ASP, payment gateways, banks). Currently, beta customers receive incident updates via WhatsApp and the in-product banner.

12. Subprocessors — full list, updated within 30 days of any change

HIBR ERP relies on a small, documented list of subprocessors. Adding a subprocessor requires CISO sign-off and triggers a 30-day customer notification window per the standard Data Processing Addendum:

• AWS (Amazon Web Services) — infrastructure hosting, me-central-1 + eu-west-1
• Anthropic — Claude API for AI features (Tax Co-pilot, Receipt OCR, Cash Flow Forecaster, Website Builder); zero data retention contract in place
• Stripe — subscription billing and SCA-compliant card processing
• Telr / PayTabs — UAE local payment gateways for customer-side payments
• ClearTax UAE — accredited PEPPOL Access Service Provider for e-invoicing
• Cloudflare — DDoS protection, edge CDN (no decrypted data passes through Cloudflare)
• Sentry — application error tracking (PII scrubbed at SDK level before transmission)

The full DPA-grade subprocessor list with role, location, and SCC status is provided to Enterprise customers at contract signature.

Security contacts

Related: main ERP page · FAQ · VAT 201 guide · CT Small Business Relief.