Built secure from the ground up
Seif Compliance handles sensitive regulatory data for financial firms across multiple jurisdictions. Security is not an afterthought — it is foundational to every architectural decision we make.
Data Encryption
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database-level encryption is enforced across all storage layers. Encryption keys are managed via a dedicated key management service with automatic rotation.
Access Controls
Authentication is secured with JWT tokens (short-lived, refresh-token pattern) and OAuth 2.0 via Google and Microsoft identity providers. Role-based access control (RBAC) enforces least-privilege access at the entity level. All sessions are logged and revocable.
Audit Trail Architecture
Every compliance-relevant action is recorded in an immutable, hash-chained audit log (SHA-256). Records are append-only — no updates or deletes permitted. Audit events are retained for a minimum of 7 years to meet regulatory examination and record-keeping requirements across all supported jurisdictions.
Data Residency
Customer data is stored in the region appropriate to your jurisdiction — UAE / GCC for Middle East jurisdictions (ADGM, DIFC, VARA), Singapore for MAS clients, and Cayman/UK for CIMA clients. No data is transferred outside the agreed region without explicit customer consent. Data residency commitments are documented in our Data Processing Agreement (DPA). Specific data centre details are available on request.
Hosting Infrastructure
Seif Compliance is hosted on a leading enterprise cloud provider in a UAE / GCC region data centre (details available under NDA). Infrastructure is provisioned with redundancy, automated failover, and daily backups. Specific provider and region information is disclosed to enterprise customers during procurement.
SOC 2 Compliance
SOC 2 Type II certification is in progress. We are currently undergoing our initial audit period targeting completion in 2026. Our controls align with SOC 2 Trust Services Criteria covering Security, Availability, and Confidentiality. A summary report is available to enterprise customers under NDA.
Penetration Testing
Independent penetration testing is conducted annually by a qualified third-party security firm. Testing covers application, API, and infrastructure layers. Results are reviewed by our security team and remediated on a risk-prioritised basis. Executive summaries are available to enterprise customers on request.
Responsible Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to security@getseif.com. We commit to acknowledging reports within 2 business days and providing a resolution timeline. We ask that you do not publicly disclose findings until we have had a reasonable opportunity to investigate and remediate.
Questions about our security posture?
Our security documentation, DPA, and enterprise questionnaire responses are available to qualified prospects. Contact us to request materials or to arrange a security review call.
security@getseif.com