Enterprise-grade security. Built for Saudi Arabia.

AWS Bahrain Region

All compute, storage, and database operations run exclusively in the AWS Bahrain region.

PDPL Compliant

Personal Data Protection Law (PDPL) compliance — consent, purpose limitation, and data subject rights enforced by design.

No cross-region replication

Data is never replicated or processed outside Saudi Arabia, even for backups or disaster recovery.

Managed Database

All structured data and search indexes stored in a fully managed database within the AWS Bahrain region.

Cloud Portable by Design

Built from day one to deploy on any major cloud provider — AWS, Azure, GCP, or Oracle Cloud — wherever your organization requires.

AES-256 Encryption at Rest

Every document is encrypted at rest with AES-256 using managed encryption keys.

Dedicated Encryption Key (Enterprise)

Enterprise workspaces receive a dedicated encryption key. Revoke the key and the data is cryptographically inaccessible — even to us.

TLS 1.3 in transit

All traffic between clients and servers is encrypted with TLS 1.3.

Encrypted Secrets Management

Integration tokens and secrets are stored in encrypted vaults. Never written to databases or application logs.

Infrastructure-Level Isolation

Every data table enforces strict workspace isolation at the infrastructure level. Workspace boundaries cannot be bypassed by application logic.

Read + Write Policies

Separate security policies govern reads and writes. Cross-tenant data access is rejected at the infrastructure level, independent of application logic.

Automatic Context Scoping

Workspace context is set automatically per request and resets after each operation — zero leakage risk between tenants.

Least-Privilege Roles

All operations run under least-privilege credentials. Administrative actions require separate authorization with full audit logging.

Role-based access: User / Admin / Owner

Three-tier RBAC enforced across all operations. Every action requires a minimum authorized role.

Workspace approval gate

New workspaces require system admin approval before any user can access the product. No self-service data exposure.

Full audit log

Every create, update, delete, and access event is written to the audit log with actor, workspace, timestamp, and change details.

Team-level source access control

Sources and knowledge bases can be scoped to specific teams. Search results exclude sources the user's team cannot see.

Best-in-Class LLMs — Fully Managed

All AI inference runs within your cloud region. No data is sent to third-party services or processed outside your infrastructure boundary.

No model training on your data

Our AI provider does not use your prompts or responses for model training or improvement. Your documents never become training data.

Prompts contain only relevant context

Only the most relevant document excerpts are included in AI prompts. Your full knowledge base is never exposed in a single request.

Dedicated AI Capacity (Enterprise)

Enterprise workspaces receive dedicated AI capacity, fully isolated from other customers.

Full data export on request

System admins can export all workspace data as a compressed archive via a secure, time-limited download.

PDPL Article 20 — deletion within 30 days

Right-to-deletion removes all records, files, and encryption keys. Completed within 30 days of request.

Staged Encryption Key Revocation

Encryption keys go through staged revocation: immediate disable (reversible), then scheduled deletion with a recovery window before permanent cryptographic erasure.

Revocation Cancellation

Key revocation can be cancelled during the grace period. Once deletion is scheduled, it can still be reversed within the recovery window.