regulation10.ae
Trust Center

Security, residency and the audit trail

How regulation10.ae keeps regulated data in the UAE, encrypts it end to end, and makes every change tamper-evident. We say what is true today and flag what is still in progress — we never claim certifications we have not earned.

How to read this page

This is an honest statement of posture. Running on Azure UAE North gives us in-country compute and in-region AI inference — it does not by itself make a service “DIFC adequate”. Any data that leaves the UAE moves only under DIFC Standard Contractual Clauses with a Transfer Impact Assessment on file. Certifications listed below are in progress, not yet achieved.

Security pillars

Four controls the auditor checks first

Residency, in-region inference, encryption and access control are the load-bearing controls behind every Reg 10 artefact the platform produces.

Residency

In-country compute in UAE North

Every regulated artefact — DPIAs, transparency notices, audit trails, evidence packs and the AI System Register — is stored and processed in Microsoft Azure UAE North, with UAE Central as the paired region. The write region is pinned at the schema level so regulated payloads stay in the UAE by default.

AI inference

In-region AI inference

Sensitive prompts run against Azure OpenAI provisioned in UAE North. Inference does not leave the region unless an operator triggers a documented Key Vault override, and any such fallback is captured as a structured audit event. Prompts are not used to train third-party models.

Encryption

Encrypted in transit and at rest

All traffic is served over TLS 1.2+ (HSTS enforced). Data at rest in Cosmos DB and Azure Storage is encrypted with AES-256. Application-layer secrets such as TOTP seeds are sealed with AES-256-GCM before they touch the data plane.

Secrets & access

Key Vault, MSI-bound, no static keys

Secrets live in Azure Key Vault (kv-reg10-uaen) and are reached through managed-identity-bound roles only — there are no long-lived service-principal credentials in the deploy chain. Sign-in is via Microsoft Entra or Google with mandatory app-level two-factor authentication.

Data residency

UAE North primary. DIFC SCCs for any transfer.

Regulated payloads are written to Cosmos DB and Azure Storage in UAE North, with UAE Central as the zone-redundant pair. The public marketing site you are reading runs at the edge and handles no regulated data; the authenticated app at app.regulation10.ae sits behind a WAF with the regulated data plane pinned to the UAE.

Where a sub-processor sits outside the UAE, the transfer is governed by DIFC Standard Contractual Clauses backed by a Transfer Impact Assessment. We are deliberate about this: Azure UAE North gives us in-country compute, but adequacy is a legal determination, not a hosting region.

  • Primary region

    UAE North

  • Paired region

    UAE Central

  • Transfers

    DIFC SCCs + TIA

Tamper-evident

A WORM audit trail you can hand to an assessor

Every material action — a module run, an artefact generation, a sign-in, an ASO appointment — is recorded as an append-only event in a write-once-read-many (WORM) store in UAE North. Records cannot be edited or deleted in place, which is what makes the trail tamper-evident.

Append-only

Events are written once. There is no in-place update path, so the historical record is immutable by construction.

Hash-pinned

Each evidence pack ships a manifest of SHA-256 hashes, so any later tampering is a single diff away from detection.

Sign-ins captured

Entra sign-ins, WAF events and Cosmos writes all stream into the same WORM-backed trail for a single timeline.

Assessor-ready export

The trail exports as a structured extract that drops straight into a Reg 10 evidence pack for an ACB or internal review.

Sub-processors

Who touches data, and where

The list below covers the third parties that may process data on our behalf. Regulated tenant compliance data stays in Azure UAE North; the other sub-processors handle operational, billing or business-contact data under DIFC SCCs.

regulation10.ae sub-processor list
Sub-processorPurposeData handledRegion / transfer basis
Microsoft AzureCore hosting, Cosmos DB, WORM blob storage, Azure OpenAI inference, Key VaultAll regulated tenant data and audit recordsUAE North (paired: UAE Central)
OpusCompliance reasoning support for the citation-required agentNon-personal compliance prompts; redacted before egressTransfer under DIFC SCCs + Transfer Impact Assessment
StripeSubscription billing and payment processingBilling contact and payment metadata (no card data stored by us)EU / US under SCCs (PCI DSS Level 1)
ResendTransactional email (sign-in, notifications, evidence-ready alerts)Recipient email address and message metadataEU / US under SCCs
ApolloSales and marketing CRM (prospect and lead records only)Business contact details — never tenant compliance dataUS under SCCs
n8nInternal workflow automation and orchestrationOperational metadata; no regulated tenant payloadsSelf-hosted in UAE North scope

We notify tenants of material changes to this list. Request the full data processing addendum and current sub-processor register from hello@regulation10.ae.

Certifications roadmap

In progress — and we will not pretend otherwise

We are building toward independent attestation. None of the certifications below are achieved yet; this is the honest state of the roadmap. We will publish certificates here the moment they are issued.

In progress

SOC 2 Type II

Security, availability and confidentiality trust criteria

Controls mapped and evidence collection underway; observation window not yet complete.

In progress

ISO/IEC 27001

Information security management system (ISMS)

ISMS scoped and documented; Stage 1 readiness review in preparation.

Planned

ISO/IEC 42001

Artificial intelligence management system (AIMS)

Evidence-pack manifest and audit-trail WORM blobs are sized to feed an AIMS audit; certification not yet pursued.

Due diligence

Need the full security pack for your review?

We can share the data processing addendum, the current sub-processor register, the residency posture and our certification roadmap evidence under NDA.