Security & Compliance
How we protect enterprise data and embed regulatory readiness into our platforms.
Faaz Technology Solutions designs, builds, and operates mission-critical enterprise systems for large organisations in Saudi Arabia. Security and compliance are integrated into our architecture, delivery methodology, and support processes — not added as an afterthought.
This page provides a high-level overview for procurement and IT security teams. Detailed controls, audit reports, and questionnaires are available under NDA as part of enterprise engagements.
1. Security Governance
- Security requirements defined at architecture and SOW stage
- Role-based access for Faaz personnel with least-privilege principles
- Secure software development lifecycle (SDLC) with code review and environment separation
- Documented incident response and escalation procedures
- Regular review of subprocessors and integration security
2. Technical Controls
Access control
Role-based access control (RBAC), multi-factor authentication (MFA) for administrative access, and session management aligned with enterprise policies.
Encryption
Encryption in transit (TLS) for web, API, and integration traffic. Encryption at rest for databases and backups where supported by the deployment environment.
Network and infrastructure
Segmentation, firewall rules, and hardened configurations for cloud and on-premises deployments. DevSecOps practices for CI/CD pipelines where Faaz manages release automation.
Logging and monitoring
Application, authentication, and integration logging with audit trails for workflow, case management, and e-invoicing operations. Monitoring and alerting for production environments under support agreements.
Vulnerability management
Dependency tracking, patching cadence for supported products, and remediation of identified vulnerabilities based on severity and contractual SLAs.
3. Data Protection
Personal and business data processed in client systems is governed by our Privacy Policy and Data Processing Addendum. Clients control what data is stored, retention policies within the application, and user access.
Cross-border processing and subprocessors are disclosed in the DPA. Data residency and local hosting options can be agreed for specific deployments.
4. Saudi Market Compliance
ZATCA E-Invoicing
Apps4x E-Invoice supports ZATCA Phase 2 (Wave 2) requirements including generation, signing, submission, clearance/reporting workflows, and audit logging. Faaz maintains product updates as regulatory technical requirements evolve. Clients remain responsible for their statutory compliance posture.
Localisation and statutory readiness
Our platforms support Arabic localisation, Hijri calendar, VAT, GOSI, and labour-law-related workflows commonly required by Saudi enterprises, as scoped in each project.
Government and banking integrations
Production integrations with portals such as ZATCA, Muqeem, Qiwa, Ajeer, and banking APIs are implemented with secure credential handling and operational monitoring.
5. AI Security
AI-enabled features follow our AI & Data Use Policy, including access boundaries, logging, and configuration to avoid using client data for unrelated model training. Prompt injection and misuse risks are mitigated through application-level controls and deployment best practices.
6. Business Continuity
Backup and recovery procedures are defined per deployment. Recovery time and recovery point objectives depend on architecture and SLA. Faaz supports disaster recovery planning for managed environments as contracted.
7. Incident Response
Suspected security incidents affecting Faaz-managed systems should be reported immediately to security@faaztechsolutions.com. We will investigate, contain, and notify affected clients in accordance with contractual breach notification terms.
8. Enterprise Assurance
Available to qualified prospects and clients under NDA:
- Security questionnaire responses
- Architecture and data flow documentation
- Subprocessor list
- Penetration test summaries (where applicable)
- Signed Data Processing Addendum