Security
DPAS handles payment approvals, a sensitive workflow. These are the controls in the product today, and an honest view of what is on the roadmap.
Every organization is a separate tenant. Data is scoped per tenant and enforced by deny-by-default security rules, so one tenant can never read or write another's records.
Every sign-in on a new browser is verified with a one-time code sent to the user's email. Sensitive approval actions also require a fresh code, so a stolen password alone cannot release a payment.
Each final approval PDF is hashed with SHA-256; the hash is stored on the request and in the audit log so any later alteration of the document is detectable.
Approval decisions and key actions are recorded in a per-tenant audit log, giving finance and compliance teams a reviewable history of who did what and when.
Database and storage access is governed by role- and participation-scoped rules, so users only reach the requests and documents their role permits.
All traffic is served over HTTPS, and the application ships a strict Content-Security-Policy alongside standard browser-hardening headers.
DPAS is built PDPL-aware for organizations in Saudi Arabia and the wider GCC, and the same principles cover GDPR considerations for any EU visitor. Data-residency region is confirmed during tenant onboarding. A data-erasure path supports data-subject requests. For B2B tenants a Data Processing Agreement is available. See the DPA page.
The items below are planned, not yet achieved. DPAS does not claim any certification it does not hold.
Found a security issue? We welcome coordinated disclosure. Email our security contact and we will respond. Machine-readable details are published at /.well-known/security.txt.
A 90-second walkthrough of the full approval chain: from a payment request to a hash-locked, emailed PDF. Then book a tailored demo from our team.