Skip to content
DPAS

Security

Security & compliance posture

DPAS handles payment approvals — a sensitive workflow. These are the controls in the product today, and an honest view of what is on the roadmap.

Security & compliance

Tenant isolation

Every organization is a separate tenant. Data is scoped per tenant and enforced by deny-by-default security rules, so one tenant can never read or write another's records.

Multi-factor authentication

User accounts can be protected with a second authentication factor in addition to the password, reducing the risk from credential theft.

Hash-locked documents

Each final approval PDF is hashed with SHA-256; the hash is stored on the request and in the audit log so any later alteration of the document is detectable.

Audit logging

Approval decisions and key actions are recorded in a per-tenant audit log, giving finance and compliance teams a reviewable history of who did what and when.

Hardened access rules

Database and storage access is governed by role- and participation-scoped rules, so users only reach the requests and documents their role permits.

Encrypted transport & security headers

All traffic is served over HTTPS, and the application ships a strict Content-Security-Policy alongside standard browser-hardening headers.

Data protection posture

DPAS is built PDPL-aware for organizations in Saudi Arabia and the wider GCC, and the same principles cover GDPR considerations for any EU visitor. Data-residency region is confirmed during tenant onboarding. A data-erasure path supports data-subject requests. For B2B tenants a Data Processing Agreement is available — see the DPA page.

On the compliance roadmap

The items below are planned, not yet achieved. DPAS does not claim any certification it does not hold.

  • SOC 2 Type IIPlanned — not yet audited or certified.
  • ISO/IEC 27001Planned — not yet certified.
  • Independent penetration testScoped for a third-party engagement.

Coordinated disclosure

Found a security issue? We welcome coordinated disclosure. Email our security contact and we will respond. Machine-readable details are published at /.well-known/security.txt.

security@dpas.app/.well-known/security.txt

Book a demo

Tell us a little about your organization and our team will arrange a tailored walkthrough of DPAS.

Book a demoContact sales
Security & compliance · DPAS