TruVis
Book a demo

Security & Data Residency

Built to pass a regulator’s examination.

When a CBUAE, DFSA, or FSRA examiner asks to see your data governance, access controls, and decision audit — TruVis gives you the answers, not a scramble.

Your data stays in the UAE

TruVis hosts all customer data, audit records, and documents within UAE infrastructure. We do not route your data through EU or US servers by default — meeting UAE data residency expectations under the PDPL and supporting CBUAE, DFSA, and FSRA examination requirements.

  • All data hosted in Bahrain (GCC region) — not EU or US
  • No cross-border data transfers without your explicit written instruction
  • Meets UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL) requirements
  • Supports CBUAE, DFSA, FSRA, and VARA data governance obligations

Only the right people see the right things

Every member of your compliance team has a defined role — Analyst, Senior Reviewer, Compliance Officer, MLRO, or Admin. Each role sees only the cases, reports, and actions they are authorised for. MFA is required for anyone who can approve cases or file SARs.

  • Seven permission levels — from read-only viewer to platform administrator
  • MFA required for case approvers, SAR filers, and administrators
  • SAR reports visible only to MLRO and Compliance Officer — tipping-off protection built in
  • All login attempts and permission denials permanently recorded

A permanent record that cannot be changed

Every compliance action — approval, rejection, document upload, risk decision — is permanently recorded and cannot be altered or deleted after the fact. When a regulator asks what happened in a case, you can produce a complete, timestamped record in minutes.

  • Every decision permanently recorded — nothing can be changed after the fact
  • Complete case history: who did what, when, and why
  • Customer record versioning — see every change to a customer profile over time
  • Seven-year retention by default
  • Full case file export for regulator handover

Documents stored securely

Customer documents — passports, Emirates IDs, utility bills — are stored in private, encrypted vaults. Staff access them through time-limited links that expire automatically. Documents are never publicly accessible.

  • Documents stored in encrypted private storage — no public access
  • All data encrypted at rest and in transit
  • Access links expire automatically after a short window
  • Document access recorded in the audit trail

Certifications and third-party testing

TruVis undergoes annual independent penetration testing. We are pursuing SOC 2 Type II certification, with ISO 27001 planned for 2026. Pen-test reports are available to Enterprise customers under NDA.

  • Annual third-party penetration test — application, API, and infrastructure scope
  • SOC 2 Type II — audit in progress; report available under NDA to Enterprise customers
  • ISO 27001 — planned 2026
  • Security findings remediated within five business days

Breach notification within 72 hours

In the event of a confirmed personal data breach, TruVis notifies affected customers within 72 hours of confirmation — in line with UAE PDPL and GDPR obligations. We document what happened, what data was affected, and what we did about it.

  • 72-hour breach notification SLA (UAE PDPL and GDPR)
  • Notification includes: data categories affected, approximate record count, remedial steps
  • Security disclosures: security@truvis.ae
  • Coordinated disclosure requested before publishing any vulnerability details

Third-party services we use

Full list →

We disclose every service that processes your customer data. The complete list, including the location and purpose of each, is on our legal page.

  • Data storage and authenticationCustomer data, audit records, and document storage — UAE region
  • Application deliveryPlatform hosting and edge routing — UAE region
  • Email notificationsReview requests, approvals, and operational alerts sent to your team
  • Sanctions and PEP screeningWatchlist data for AML screening checks
  • Identity verificationDocument reading, liveness checks, and face matching during onboarding

Found a security issue?

Email security@truvis.ae. We acknowledge within one business day and share a remediation timeline within five. Please coordinate disclosure with us before publishing any details.

Talk to us

Questions about data residency or access controls?

Bring your security questionnaire or your regulator’s checklist. We’ll walk through every point on a 30-minute call.

Book a DemoRead the DPA