Security you can put in front of your IT team.
This page is written for the person who signs off on vendors: what we run, where your data lives, and what we deliberately don't claim.
Four layers between the internet and your figures.
No single control is trusted on its own — each layer assumes the one above it can fail.
Encrypted in transit
All traffic runs over TLS (HTTPS). There is no unencrypted path to the service.
Application controls
Origin-checked requests (CSRF), rate limiting on sign-in, uploads, AI, and exports, and validated input on every route.
Row-Level Security
Postgres RLS policies scope every query to your company — isolation is enforced by the database itself, not just the application.
Field-level encryption
Personal data extracted from your documents — party names and TRNs — is additionally encrypted with AES-256-GCM before it is stored.
What we run, in plain words.
Each of these is implemented and verifiable in the product today — there are no roadmap items on this list.
Encryption
Encrypted at rest and in transit, with a second layer on the most sensitive extracted fields.
- AES-256 encryption at rest
- TLS for all traffic in transit
- Field-level AES-256-GCM on document-extracted PII
Tenant isolation
Every table carries Postgres Row-Level Security scoped to your company.
- Per-company RLS policies on every data table
- Covered by automated tests, including live cross-tenant checks
- Storage buckets and paths scoped per company
Data residency
Hosted in the EU — Frankfurt (eu-central-1) — on encrypted infrastructure. We state this plainly rather than imply in-country hosting.
- Application and database in Frankfurt, Germany
- EU region (eu-central-1)
- Residency stated accurately — see “what we don't claim” below
Audit trail
An append-only activity log records who did what, and tax records follow FTA retention.
- Append-only audit log — no updates, no deletes
- 5-year retention on tax records, enforced in the database
- Deleting an in-retention record is blocked, and the attempt is logged
Access control
Roles keep least privilege — in the app, and again at the database.
- Owner, accountant, and viewer roles
- Write permissions enforced in RLS policy, not just in the UI
- Platform administration separated and explicitly gated
Platform security
The service around your data is hardened too.
- Stripe webhooks verified by signature
- Server secrets never reach the browser bundle — enforced at build time
- Uploads validated by content (magic bytes), not just file name
A ledger of actions, not just numbers.
Every security-relevant event is written to an append-only log — created, modified, uploaded, filed, exported.
- Events cannot be edited or deleted after the fact
- Filings and exports are recorded alongside record changes
- Retained for five years, in line with FTA requirements
- 09:14document_uploadedinvoice-gulf-office-jan.pdf
- 09:15record_created4 transactions extracted
- 11:02record_modifiedclassification confirmed
- 14:30return_submittedVAT 201 · Q4 2025
- 16:45faf_exportedFTA audit file (FAF)
Illustrative entries — the live log records actor, company, and timestamp for every event.
Aligned with the rules your business answers to.
Amaan is designed around UAE data-protection and tax requirements — described here as they are, without borrowed badges.
UAE data protection
Designed to align with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).
- Explicit, recorded consent at sign-up
- Field-level encryption on extracted personal data
- Personal data scrubbed from error reports before they leave the system
Tax record requirements
Built around Federal Tax Authority expectations for records, retention, and filings.
- 5-year retention on tax records, enforced in the database
- FTA audit file (FAF) export on demand
- VAT 201-aligned preparation and PINT AE e-invoicing groundwork
What we don't claim
Amaan does not currently hold SOC 2 or ISO 27001 certification, and we won't use those words until an independent auditor has. Hosting is in the EU (Frankfurt) — we don't describe it as UAE-based. Everything on this page is a control we actually run, phrased the way we'd want a vendor to phrase it to us.
Responsible disclosure
Found a vulnerability? Tell us privately and we'll take it seriously — we acknowledge reports promptly, keep you informed while we fix, and credit researchers who want it.
Start filing with confidence.
Join UAE businesses replacing spreadsheets and last-minute scrambles with one calm, compliant workflow.
14-day free trial · No credit card required