Security & trust

Security you can put in front of your IT team.

This page is written for the person who signs off on vendors: what we run, where your data lives, and what we deliberately don't claim.

AES-256 encryptionRow-Level Security on every tableAppend-only audit trail
Defense in depth

Four layers between the internet and your figures.

No single control is trusted on its own — each layer assumes the one above it can fail.

Encrypted in transit

All traffic runs over TLS (HTTPS). There is no unencrypted path to the service.

Application controls

Origin-checked requests (CSRF), rate limiting on sign-in, uploads, AI, and exports, and validated input on every route.

Row-Level Security

Postgres RLS policies scope every query to your company — isolation is enforced by the database itself, not just the application.

Field-level encryption

Personal data extracted from your documents — party names and TRNs — is additionally encrypted with AES-256-GCM before it is stored.

The controls

What we run, in plain words.

Each of these is implemented and verifiable in the product today — there are no roadmap items on this list.

Encryption

Encrypted at rest and in transit, with a second layer on the most sensitive extracted fields.

  • AES-256 encryption at rest
  • TLS for all traffic in transit
  • Field-level AES-256-GCM on document-extracted PII

Tenant isolation

Every table carries Postgres Row-Level Security scoped to your company.

  • Per-company RLS policies on every data table
  • Covered by automated tests, including live cross-tenant checks
  • Storage buckets and paths scoped per company

Data residency

Hosted in the EU — Frankfurt (eu-central-1) — on encrypted infrastructure. We state this plainly rather than imply in-country hosting.

  • Application and database in Frankfurt, Germany
  • EU region (eu-central-1)
  • Residency stated accurately — see “what we don't claim” below

Audit trail

An append-only activity log records who did what, and tax records follow FTA retention.

  • Append-only audit log — no updates, no deletes
  • 5-year retention on tax records, enforced in the database
  • Deleting an in-retention record is blocked, and the attempt is logged

Access control

Roles keep least privilege — in the app, and again at the database.

  • Owner, accountant, and viewer roles
  • Write permissions enforced in RLS policy, not just in the UI
  • Platform administration separated and explicitly gated

Platform security

The service around your data is hardened too.

  • Stripe webhooks verified by signature
  • Server secrets never reach the browser bundle — enforced at build time
  • Uploads validated by content (magic bytes), not just file name
Audit trail

A ledger of actions, not just numbers.

Every security-relevant event is written to an append-only log — created, modified, uploaded, filed, exported.

  • Events cannot be edited or deleted after the fact
  • Filings and exports are recorded alongside record changes
  • Retained for five years, in line with FTA requirements
audit_eventsAppend-only
  • 09:14document_uploadedinvoice-gulf-office-jan.pdf
  • 09:15record_created4 transactions extracted
  • 11:02record_modifiedclassification confirmed
  • 14:30return_submittedVAT 201 · Q4 2025
  • 16:45faf_exportedFTA audit file (FAF)

Illustrative entries — the live log records actor, company, and timestamp for every event.

Compliance posture

Aligned with the rules your business answers to.

Amaan is designed around UAE data-protection and tax requirements — described here as they are, without borrowed badges.

PDPL

UAE data protection

Designed to align with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).

  • Explicit, recorded consent at sign-up
  • Field-level encryption on extracted personal data
  • Personal data scrubbed from error reports before they leave the system
FTA

Tax record requirements

Built around Federal Tax Authority expectations for records, retention, and filings.

  • 5-year retention on tax records, enforced in the database
  • FTA audit file (FAF) export on demand
  • VAT 201-aligned preparation and PINT AE e-invoicing groundwork

What we don't claim

Amaan does not currently hold SOC 2 or ISO 27001 certification, and we won't use those words until an independent auditor has. Hosting is in the EU (Frankfurt) — we don't describe it as UAE-based. Everything on this page is a control we actually run, phrased the way we'd want a vendor to phrase it to us.

Responsible disclosure

Found a vulnerability? Tell us privately and we'll take it seriously — we acknowledge reports promptly, keep you informed while we fix, and credit researchers who want it.

security@amaan.ae

Start filing with confidence.

Join UAE businesses replacing spreadsheets and last-minute scrambles with one calm, compliant workflow.

14-day free trial · No credit card required

Security — Amaan