Security, residency and the audit trail
How regulation10.ae keeps regulated data in the UAE, encrypts it end to end, and makes every change tamper-evident. We say what is true today and flag what is still in progress — we never claim certifications we have not earned.
How to read this page
This is an honest statement of posture. Running on Azure UAE North gives us in-country compute and in-region AI inference — it does not by itself make a service “DIFC adequate”. Any data that leaves the UAE moves only under DIFC Standard Contractual Clauses with a Transfer Impact Assessment on file. Certifications listed below are in progress, not yet achieved.
Security pillars
Four controls the auditor checks first
Residency, in-region inference, encryption and access control are the load-bearing controls behind every Reg 10 artefact the platform produces.
Residency
In-country compute in UAE North
Every regulated artefact — DPIAs, transparency notices, audit trails, evidence packs and the AI System Register — is stored and processed in Microsoft Azure UAE North, with UAE Central as the paired region. The write region is pinned at the schema level so regulated payloads stay in the UAE by default.
AI inference
In-region AI inference
Sensitive prompts run against Azure OpenAI provisioned in UAE North. Inference does not leave the region unless an operator triggers a documented Key Vault override, and any such fallback is captured as a structured audit event. Prompts are not used to train third-party models.
Encryption
Encrypted in transit and at rest
All traffic is served over TLS 1.2+ (HSTS enforced). Data at rest in Cosmos DB and Azure Storage is encrypted with AES-256. Application-layer secrets such as TOTP seeds are sealed with AES-256-GCM before they touch the data plane.
Secrets & access
Key Vault, MSI-bound, no static keys
Secrets live in Azure Key Vault (kv-reg10-uaen) and are reached through managed-identity-bound roles only — there are no long-lived service-principal credentials in the deploy chain. Sign-in is via Microsoft Entra or Google with mandatory app-level two-factor authentication.
Data residency
UAE North primary. DIFC SCCs for any transfer.
Regulated payloads are written to Cosmos DB and Azure Storage in UAE North, with UAE Central as the zone-redundant pair. The public marketing site you are reading runs at the edge and handles no regulated data; the authenticated app at app.regulation10.ae sits behind a WAF with the regulated data plane pinned to the UAE.
Where a sub-processor sits outside the UAE, the transfer is governed by DIFC Standard Contractual Clauses backed by a Transfer Impact Assessment. We are deliberate about this: Azure UAE North gives us in-country compute, but adequacy is a legal determination, not a hosting region.
Primary region
UAE North
Paired region
UAE Central
Transfers
DIFC SCCs + TIA
Tamper-evident
A WORM audit trail you can hand to an assessor
Every material action — a module run, an artefact generation, a sign-in, an ASO appointment — is recorded as an append-only event in a write-once-read-many (WORM) store in UAE North. Records cannot be edited or deleted in place, which is what makes the trail tamper-evident.
Append-only
Events are written once. There is no in-place update path, so the historical record is immutable by construction.
Hash-pinned
Each evidence pack ships a manifest of SHA-256 hashes, so any later tampering is a single diff away from detection.
Sign-ins captured
Entra sign-ins, WAF events and Cosmos writes all stream into the same WORM-backed trail for a single timeline.
Assessor-ready export
The trail exports as a structured extract that drops straight into a Reg 10 evidence pack for an ACB or internal review.
Sub-processors
Who touches data, and where
The list below covers the third parties that may process data on our behalf. Regulated tenant compliance data stays in Azure UAE North; the other sub-processors handle operational, billing or business-contact data under DIFC SCCs.
| Sub-processor | Purpose | Data handled | Region / transfer basis |
|---|---|---|---|
| Microsoft Azure | Core hosting, Cosmos DB, WORM blob storage, Azure OpenAI inference, Key Vault | All regulated tenant data and audit records | UAE North (paired: UAE Central) |
| Opus | Compliance reasoning support for the citation-required agent | Non-personal compliance prompts; redacted before egress | Transfer under DIFC SCCs + Transfer Impact Assessment |
| Stripe | Subscription billing and payment processing | Billing contact and payment metadata (no card data stored by us) | EU / US under SCCs (PCI DSS Level 1) |
| Resend | Transactional email (sign-in, notifications, evidence-ready alerts) | Recipient email address and message metadata | EU / US under SCCs |
| Apollo | Sales and marketing CRM (prospect and lead records only) | Business contact details — never tenant compliance data | US under SCCs |
| n8n | Internal workflow automation and orchestration | Operational metadata; no regulated tenant payloads | Self-hosted in UAE North scope |
We notify tenants of material changes to this list. Request the full data processing addendum and current sub-processor register from hello@regulation10.ae.
Certifications roadmap
In progress — and we will not pretend otherwise
We are building toward independent attestation. None of the certifications below are achieved yet; this is the honest state of the roadmap. We will publish certificates here the moment they are issued.
SOC 2 Type II
Security, availability and confidentiality trust criteria
Controls mapped and evidence collection underway; observation window not yet complete.
ISO/IEC 27001
Information security management system (ISMS)
ISMS scoped and documented; Stage 1 readiness review in preparation.
ISO/IEC 42001
Artificial intelligence management system (AIMS)
Evidence-pack manifest and audit-trail WORM blobs are sized to feed an AIMS audit; certification not yet pursued.
Due diligence
Need the full security pack for your review?
We can share the data processing addendum, the current sub-processor register, the residency posture and our certification roadmap evidence under NDA.