SECURITY · COMPLIANCE · TRUST

Built for UAE businesses that cannot afford to lose financial data.

Every aspect of how your data is stored, encrypted, backed up, and protected — explained in plain language. No security theatre.

UAE FTA Compliant

Decree-Law 8/2017 + 47/2022

AES-256 Encryption

At rest & in transit

Daily Backups

30-day point-in-time recovery

UAE Data Residency

Hosted in region

Encryption Everywhere

Data in transit

TLS 1.3

All connections to and from Emirate ERP servers use the latest transport encryption. Older TLS versions are blocked.

Data at rest

AES-256-GCM

Industry-standard symmetric encryption applied to your database, file uploads, and backups.

Passwords

bcrypt + salt

Passwords are never stored in plaintext. We use one-way hashing — even our engineers cannot read your password.

API keys

Hashed in DB

Generated keys are shown once on creation, then stored as a one-way hash. Lost keys cannot be recovered — only revoked and re-issued.

UAE FTA Compliance — by Specific Regulation

VAT Decree-Law 8/2017

VAT Form 201 with all 9 boxes auto-populated

Standard rated, zero rated, exempt, reverse charge — each transaction routed to the correct box automatically.

VAT Cabinet Decision 100/2024

UAE eInvoicing PINT-AE format ready

UBL 2.1 XML generation + TLV QR codes per FTA spec. Voluntary adoption from July 2026.

CT Federal Decree-Law 47/2022

Corporate Tax 0% / 9% calculation

0% on the first AED 375,000. 9% above. Small Business Relief tracked when revenue ≤ AED 3M.

MOHRE Resolution 656/2022

Wages Protection System (WPS) SIF export

MOHRE-format Salary Information File generated for upload via your processing bank to CBUAE.

GPSSA Federal Law 7/1999

UAE National pension contribution tracking

20% gross salary calculation (12.5% employer + 5% employee + 2.5% government) for UAE national employees.

Federal Decree-Law 14/2020

Bounced cheque criminal record handling

PDC tracking with bounce reversal, debit note generation, and AED 200-1,000 penalty notices.

Article 78 of Labour Law

End of Service Gratuity (EOSB) calculation

21 days basic salary per year for years 1-5, 30 days per year above 5 years, capped at 2 years total.

FTA Audit Requirements

5-year tamper-evident audit trail

Every transaction cryptographically hashed. Logs are append-only — no user including admins can edit history.

Backups & Recovery

Every 24 hours

Full snapshot

Automated · zero downtime

Continuous

Transaction log streaming

Point-in-time recovery to any moment in last 30 days

Geographic redundancy

Backups stored in separate physical region

Disaster recovery if primary region fails

Recovery time objective: 4 hours

In the rare event of a complete service outage, full restoration from backup completes in under 4 hours. Your data loss window (RPO) is at most 5 minutes thanks to continuous transaction log streaming.

Access Controls

Two-factor authentication (2FA)

TOTP authenticator apps (Google Authenticator, Authy, 1Password). Required for owner accounts on the Enterprise plan.

Role-based access (7 roles)

Owner / Admin / Accountant / Auditor / Sales / HR / Viewer — each role sees only what they need.

Session timeout policy

Auto-logout after configurable inactivity period (15 min – 8 hours).

Multi-tenant isolation

Database row-level security ensures one tenant's data is never visible to another, even if URLs are guessed.

Append-only audit trail

Every action logged with user, timestamp, IP, and before/after values. No one can delete entries.

See every successful and failed login attempt with device, browser, and IP. Export to CSV anytime.

Privacy & Data Ownership

Your data is yours. We process it solely to provide the Emirate ERP service. We never sell, share, or use your business data to train AI models. You can export everything as CSV, JSON, or PDF at any time.

UAE PDPL aligned. Federal Decree-Law 45/2021 on Personal Data Protection. We collect the minimum necessary, store it securely, honour deletion requests within 30 days.

5-year retention. FTA requires 5 years for tax records. Your data is preserved for that period at minimum, and longer at your request.

Right to leave. Cancel anytime. Export every byte of your data in standard formats. We delete your tenant from production within 30 days of cancellation (encrypted backups expire on the standard 30-day cycle thereafter).

What we do NOT yet have

In the spirit of full transparency: we are not yet SOC 2 Type II certified — audit in progress with Deloitte ME. Expected completion: Q3 2026. We do not yet hold ISO 27001 — assessment phase underway, engagement signed. Target certification: Q4 2026. We are not yet a fully-licensed FTA Tax Agent (we are an FTA-aligned software, not a tax filing service). If any of these are blockers for your procurement process, please contact us before signing up so we can share detailed timelines and auditor references.

Have a security question we didn't answer?

Email support@emirateerp.com or read our full Privacy Policy and Terms.