Security
Security posture.
Residency, tokenization, compliance mapping, identity, audit, and incident response. Every control below points to a mechanism in the product or a clause in the DPA. The DPA Cross-Border Annex carries the same claims at audit grade.
§1
Data residency.
Every byte of your carrier data — policy documents, claim evidence, adjudication traces, invoices, audit entries — is stored in Google Cloud me-central1 (Dammam). Database, object storage, vault, worker state, admin console: all in-region.
The single exception is the outbound inference call routed to europe-west4 (Netherlands). No frontier-LLM provider operates a Middle East region as of April 2026; moving inference to a KSA-based HSM is the Phase-2 upgrade. Every payload crossing the border tokenizes in-Kingdom first — no plaintext PII leaves Saudi Arabia.
§2
Tokenization.
Five classes of data tokenize before any outbound call: national IDs, Najm case numbers, phone numbers, IBANs, and policy-holder names. Tokens are HMAC-SHA-256, keyed by a per-tenant data encryption key wrapped by Google Cloud KMS. Tokens preserve length and shape so downstream models do not regress.
The token-to-plaintext vault lives in me-central1 Cloud SQL; the KMS keyring currently lives in europe-west4 with an opt-in migration path to a KSA-based HSM under the Portfolio tier. Every vault access — read or write — appends an audit row naming the actor, the claim, and the purpose.
§3
Compliance framework mapping.
Every SAMA CSF, NCA ECC-2, and PDPL control has a named mechanism in the product. The mapping is compact; the DPA annex expands each row into the control text and the evidence path.
| Framework | Control | Mechanism |
|---|---|---|
| SAMA CSF | 3.2.5 · Data classification | Per-tenant classification registry seeded from the NDMO 5-level model, enforced at every cross-border transfer. |
| SAMA CSF | 4.1 · Cryptographic key management | Customer DEKs wrapped by GCP KMS; per-tenant rotation cadence; break-glass path documented. |
| SAMA CSF | 6.2 · Third-party risk | LLM-provider enterprise agreements; processor registry on the DPA annex. |
| NCA ECC-2 | 2-3-3 · Secure software development | Change control on every deploy; production access gated by on-call rotation; admin audit log via database triggers. |
| NCA ECC-2 | 2-12 · Cryptography | TLS 1.3 everywhere; at-rest AES-256; KMS-backed envelope encryption for the PII vault. |
| PDPL | Article 6 · Lawful basis | Documented per-tenant under the Data Processing Agreement; carrier is controller, Daqiq is processor. |
| PDPL | Article 26 · Data breach notification | Carrier notified inside 48 hours of confirmed impact; NDMO notified inside 72 hours. |
| PDPL | Article 36 · Data subject rights | In-product DSR portal returns export, rectification, or deletion within 30 days. |
§4
Identity, access, audit.
Sessions use JWT-backed cookies with database-side revocation. Seven roles carry distinct write permissions: nizam_admin, nizam_ops, carrier_admin, carrier_ops, carrier_reviewer, carrier_underwriter, viewer. The matrix is printed in the DPA.
Staff impersonation is read-only. Every impersonated session renders a banner to the operator and writes an audit row the carrier can inspect. Admin audit entries are append-only via database triggers; each row carries actor email, action, target, request ID, hashed IP, and user agent.
§5
Incident response.
Incidents classify into three severities. Sev 1 (carrier-impacting outage or confirmed data exposure) acks in 15 minutes; Sev 2 (partial-impact) in one hour; Sev 3 (low) in four business hours.
Confirmed impact triggers notification to the affected carrier within 48 hours and NDMO within 72 hours per PDPL Article 26. A post-mortem is delivered within 15 business days, with timeline, root cause, control gap, and remediation commitments.
§6
Roadmap.
What isn't shipped yet, and when it will ship.
- SOC 2 Type II — Q4 2026.
- ISO 27001 — concurrent with SOC 2.
- Responsible-disclosure + bug bounty program — Q3 2026.
- Customer-held CMEK (carrier brings KMS keys) — available as a Portfolio-tier opt-in once reserved capacity is provisioned.
- KSA-based HSM for the tokenization keyring — Phase-2 product upgrade.
Roadmap commitments.
- SOC 2 Type II — Q4 2026.
- ISO 27001 — concurrent with SOC 2.
- Responsible-disclosure + bug bounty program — Q3 2026.
- Customer-held CMEK (carrier brings KMS keys) — available as a Portfolio-tier opt-in once reserved capacity is provisioned.
- KSA-based HSM for the tokenization keyring — Phase-2 product upgrade.