Skip to main content

Data Security & Compliance

Enterprise-grade security protecting your property data with MENA regional cloud infrastructure, advanced encryption, and full regulatory compliance across all supported countries

Last Updated: February 2026

1. Security Overview

At Sakani Pro, security is not an afterthought - it is the foundation of everything we build. As a property management platform serving the MENA region — including the GCC countries, Levant, and North Africa — we understand the sensitivity of the data entrusted to us: tenant personal information, financial records, lease agreements, property portfolios, and regulatory compliance documents.

Our security program is designed to meet the highest international standards while fully complying with applicable regulations across MENA, including the Saudi Personal Data Protection Law (PDPL), UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection, REGA (Saudi Arabia) and RERA (UAE/Bahrain) data protection requirements, NCA (Saudi Arabia) and UAE Cybersecurity Council cybersecurity frameworks, and ISO 27001 / SOC 2 international standards.

Our Security Commitment

We employ a defense-in-depth strategy with multiple overlapping security controls. Every layer of our platform - from physical infrastructure to application code - is designed, reviewed, and tested to protect your data against unauthorized access, loss, and misuse.

1.1 Security Principles

  • Data Sovereignty: All property and tenant data is stored within the customer's applicable MENA region or EMEA cloud infrastructure, in compliance with country-specific data residency requirements
  • Least Privilege: Users and systems are granted only the minimum access required to perform their functions
  • Zero Trust: Every access request is verified regardless of source, following "never trust, always verify"
  • Encryption Everywhere: Data is encrypted both at rest and in transit without exception
  • Continuous Monitoring: 24/7 security monitoring with automated threat detection and response

2. Infrastructure

Sakani Pro's infrastructure is deployed across MENA regional and EMEA cloud environments, ensuring full data residency compliance with each country's applicable data protection requirements. We utilize AWS and Microsoft Azure infrastructure in the Middle East (Bahrain and UAE regions) as well as EMEA regions for our customers across the MENA market.

2.1 MENA Regional Cloud Infrastructure

  • Saudi Arabia customers: primary deployment on AWS Middle East (Bahrain) or Azure UAE North, aligned with SDAIA data localization guidelines and PDPL Article 29 on cross-border data transfers
  • UAE customers: deployment within UAE-compliant cloud infrastructure, meeting UAE Federal Decree-Law No. 45 of 2021 data protection requirements
  • Other MENA customers (Bahrain, Kuwait, Oman, Qatar, Egypt, Morocco, etc.): deployment on EMEA region cloud infrastructure with data processed in compliance with applicable local data protection laws
  • All infrastructure utilizes Tier III+ certified data centers with full redundancy, failover capabilities, and geographic separation for disaster recovery

2.2 Physical Security

  • 24/7 on-site security personnel with CCTV surveillance and monitored entry points
  • Biometric access controls with multi-factor authentication for data center entry
  • Redundant power systems with UPS and diesel generator backup
  • Advanced fire suppression and environmental monitoring systems

2.3 Network Security

  • Web Application Firewall (WAF) with real-time threat intelligence feeds
  • DDoS protection with automatic mitigation and traffic scrubbing
  • Intrusion Detection and Prevention Systems (IDS/IPS) monitoring all network traffic
  • Network segmentation with isolated VPCs for each customer environment

3. Encryption

All data processed by Sakani Pro is protected by industry-leading encryption standards, ensuring confidentiality and integrity at every stage of data handling.

3.1 Data in Transit

  • TLS 1.3 enforced on all connections with no fallback to older protocols
  • HTTP Strict Transport Security (HSTS) with a minimum of 1-year max-age directive
  • Perfect Forward Secrecy (PFS) ensuring past sessions remain secure even if keys are compromised
  • Certificate pinning for mobile applications and API integrations

3.2 Data at Rest

  • AES-256 encryption for all stored data including databases, file storage, and backups
  • Hardware Security Modules (HSM) for cryptographic key management and storage
  • Automatic key rotation on a regular schedule with full audit trail
  • Encrypted database connections with separate keys per customer tenant

3.3 Sensitive Data Handling

  • National ID numbers (Saudi National ID, UAE Emirates ID, and equivalent national identity documents across MENA) are stored using one-way hashing with salt
  • Payment details are tokenized and never stored in raw form on our systems — this applies to SADAD (Saudi Arabia), and all country-specific payment gateway integrations across MENA
  • Lease registration contract data (Ejar in Saudi Arabia, Ejari in UAE, Tawtheeq, and equivalent systems) is encrypted with dedicated keys meeting the requirements of the relevant regulatory authority in each country

4. Access Control

Sakani Pro implements granular role-based access control (RBAC) ensuring that every user, administrator, and system component has access only to the resources necessary for their designated function.

4.1 User Access Management

  • Role-based permissions: Property Manager, Owner, Tenant, Maintenance, Finance, and Admin roles with customizable sub-permissions
  • Property-level access isolation ensuring users cannot access data from properties they are not assigned to
  • Automatic session expiration after 30 minutes of inactivity with secure re-authentication
  • IP whitelisting available for Enterprise customers to restrict access to approved networks

4.2 Internal Access Controls

  • All Sakani Pro employee access to production systems requires manager approval and is logged
  • Quarterly access reviews to ensure permissions remain appropriate and remove stale accounts
  • Privileged access management (PAM) for administrative and infrastructure access

4.3 Audit Logging

  • Comprehensive audit logs for all user actions, data access, and system changes
  • Immutable log storage with tamper-evident mechanisms retained for a minimum of 2 years
  • Real-time SIEM integration for security event correlation and anomaly detection

5. Authentication

Sakani Pro provides robust authentication mechanisms to ensure that only verified and authorized users can access the platform and its data.

5.1 Two-Factor Authentication (2FA)

  • 2FA is mandatory for all administrator and property manager accounts
  • Supported methods: TOTP authenticator apps, SMS OTP, and hardware security keys (FIDO2/WebAuthn)
  • Recovery codes generated during 2FA setup, stored securely for emergency access

5.2 Nafath Integration

Sakani Pro integrates with Nafath, the Saudi national digital identity platform, to provide seamless and trusted identity verification for Saudi citizens and residents:

  • Single Sign-On (SSO) through Nafath for streamlined tenant and owner verification
  • Identity verification tied to Absher and National ID for REGA compliance
  • Trusted identity assertion eliminates the need for manual ID document collection

5.3 Password Security

  • Passwords hashed using bcrypt with a work factor of 12 or higher
  • Minimum password complexity requirements: 12+ characters with mixed case, numbers, and symbols
  • Breached password detection against known compromised credential databases
  • Account lockout after 5 failed login attempts with progressive delay and CAPTCHA challenge

6. Data Backup

Sakani Pro maintains a comprehensive backup strategy to ensure data durability and enable rapid recovery in the event of any incident. All backups are stored within the customer's applicable MENA regional or EMEA cloud infrastructure, in compliance with the same country-specific data residency requirements as primary data storage.

Backup Type Frequency Retention
Full Database Backup Daily 30 days
Incremental Backup Every 6 hours 14 days
Transaction Log Backup Every 15 minutes 7 days
File Storage Backup Daily 90 days
  • All backups are encrypted with AES-256 and stored in a geographically separate data center within the applicable MENA or EMEA cloud region
  • Recovery Point Objective (RPO): less than 15 minutes for transaction data
  • Recovery Time Objective (RTO): less than 4 hours for full system restoration
  • Monthly backup restoration tests to verify integrity and recoverability

7. Incident Response

Sakani Pro maintains a formal Incident Response Plan (IRP) that is tested and updated regularly. Our response procedures are designed to minimize impact, preserve evidence, and ensure compliance with applicable data protection breach notification requirements across all countries where we operate.

7.1 Response Phases

  • Detection & Triage: Automated monitoring detects anomalies. Security team triages and classifies the incident within 30 minutes.
  • Containment: Immediate measures to isolate affected systems, prevent further damage, and preserve forensic evidence.
  • Eradication: Identify root cause, remove the threat, patch vulnerabilities, and harden affected systems.
  • Recovery: Restore services from verified clean backups, validate system integrity, and gradually resume normal operations.
  • Post-Incident Review: Comprehensive post-mortem analysis, lessons learned documentation, and implementation of preventive measures.

7.2 Breach Notification

Multi-Country Data Protection Compliance

In compliance with applicable data protection laws, Sakani Pro will notify the relevant supervisory authority and affected data subjects of any personal data breach without undue delay, and in any event within 72 hours of becoming aware of the breach. This includes notification to SDAIA (Saudi Arabia) under the Saudi PDPL, the UAE supervisory authority under UAE Federal Decree-Law No. 45 of 2021, and equivalent national data protection authorities for other MENA countries where applicable. Notifications include the nature of the breach, categories of data affected, estimated number of affected individuals, and remedial measures taken.

8. Compliance

Sakani Pro is committed to meeting all applicable regulatory requirements across MENA and international security standards relevant to property management and data protection.

Standard / Regulation Status Description
Saudi PDPL Compliant Full compliance with Saudi Personal Data Protection Law
REGA Requirements Compliant Real Estate General Authority data protection and platform licensing requirements
ISO 27001 Certified Information Security Management System (ISMS) certification
ISO 27701 Certified Privacy Information Management extending ISO 27001 for personal data
SOC 2 Type II Certified Annual audit for security, availability, and confidentiality controls
ZATCA VAT (KSA) Compliant Secure handling of ZATCA e-invoicing and VAT documentation for Saudi Arabia
UAE DPL Compliant Compliance with UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection
MENA Financial Regulations Compliant Secure financial data handling per applicable central bank requirements: SAMA (KSA), CBUAE (UAE), CBE (Egypt), BAM (Morocco), and equivalents

8.1 Country-Specific Real Estate Regulatory Data Protection

As a technology platform serving real estate sectors across the MENA region, Sakani Pro adheres to country-specific data protection requirements imposed by applicable real estate regulatory authorities:

  • Secure storage and transmission of lease registration contract data: Ejar (Saudi Arabia, Ministry of Housing), Ejari (Dubai, DLD), Tawtheeq (Abu Dhabi), and equivalent systems across MENA
  • Property title deed and ownership information handled per the classification and sensitivity guidelines of the applicable regulatory authority: REGA (Saudi Arabia), RERA (UAE/Dubai, Bahrain), and equivalents
  • Tenant and owner identity data protected according to national identity regulations in the applicable country (Saudi National ID, UAE Emirates ID, and equivalent national identity systems)
  • Financial transaction records secured per the applicable central bank and tax authority requirements in each country: SAMA and ZATCA (Saudi Arabia), CBUAE (UAE), CBE (Egypt), BAM (Morocco), and equivalent authorities

9. Penetration Testing

Sakani Pro maintains a rigorous security testing program to proactively identify and remediate vulnerabilities before they can be exploited.

9.1 Testing Schedule

  • Annual comprehensive penetration testing conducted by independent, CREST-accredited third-party firms
  • Quarterly automated vulnerability assessments across all application and infrastructure layers
  • Continuous automated security scanning in CI/CD pipeline before every code deployment
  • Ad-hoc testing after major feature releases or significant infrastructure changes

9.2 Testing Scope

  • OWASP Top 10 vulnerability coverage including injection, XSS, broken authentication, and misconfigurations
  • API security testing for all REST and webhook endpoints
  • Infrastructure testing including network, servers, and cloud configuration
  • Social engineering assessment including phishing simulation for internal staff

9.3 Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in Sakani Pro, please report it to our security team. We are committed to:

  • Acknowledging receipt of vulnerability reports within 24 hours
  • Providing regular updates on remediation progress
  • Not pursuing legal action against good-faith security researchers who follow responsible disclosure practices

10. Security Contact

For security inquiries, vulnerability reports, compliance documentation requests, or to request a copy of our latest penetration test executive summary, please contact our dedicated security team:

Security Team

Email: security@sakanipro.com

Vulnerability Reports: security@sakanipro.com

PGP Key: Available upon request for encrypted communications

Response Time: Within 24 hours for all security inquiries

Office: Valutoria LTD, 71-75 Shelton Street, Covent Garden, London, United Kingdom

Security Documentation

Enterprise customers may request access to detailed security documentation including our SOC 2 report, ISO 27001 certificate, penetration test executive summaries, and business continuity plans. Please contact security@sakanipro.com with your request.