Security & trust

Your books are the most sensitive thing you own. We treat them that way.

Ledgr is built on UAE-resident infrastructure, encrypted end to end, and isolated per customer. We never train our models on your data. A short summary, then the specifics — keep scrolling.

Hosted in UAE Central · Microsoft Azure SOC 2 Type II in progress (target Q1 2027) ISO/IEC 27001 audit scoped

At a glance

Eight commitments. Plain English.

No vague reassurance. Each card below corresponds to a specific control, audited by an external party we can name on request.

UAE data residency

All production data lives in Microsoft Azure UAE Central (Dubai) and is replicated to UAE North. Nothing leaves the country.

Encrypted, in transit and at rest

TLS 1.3 in transit, AES-256 at rest. Document blobs are wrapped in customer-specific keys held in Azure Key Vault HSM.

Isolated per customer

Every entity gets a logical schema and a row-level access policy. Cross-customer reads are physically impossible to express.

No model training on your data

Your books, documents and chats are never used to train shared models. Inference happens against locked, version-pinned model snapshots.

Reasoning trail on every action

Every agent action carries an inputs → tools → outputs trace. Replay any classification, filing or message that the system ever sent.

Human-in-the-loop, by default

Filings to the FTA, money movement and any high-confidence-but-novel classification route to a UAE-licensed chartered accountant before they execute.

Backups, restorable to the minute

Point-in-time restore covers the last 35 days. Disaster-recovery exercises run quarterly; RPO 15 minutes, RTO 4 hours.

Your data is yours

Export everything — transactions, documents, ledgers, audit trail — at any time, in CSV, JSON and PDF. We will help you move to any competitor.

How we think

Two principles we will not compromise on.

An accountant signs every filing.

We chose to build slower so that a licensed human reviews anything that goes to the FTA. Customers see exactly who signed off, when, and the reasoning that led there. This is how we keep penalty risk out of an agentic stack.

You own the audit trail.

If we go away, your last seven years of books, source documents and reasoning traces are exported in machine-readable form within 24 hours. The FTA's record-keeping requirement does not depend on us continuing to exist.

The fine print

Specifications.

If you need a longer document for procurement, ask your account manager for the security questionnaire — we will return it within five working days.

Hosting Microsoft Azure · UAE Central (Dubai) primary, UAE North (Abu Dhabi) replica. No production data leaves the UAE.

Encryption TLS 1.3 in transit; AES-256 at rest. Customer-specific data-encryption keys wrapped by master keys held in Azure Key Vault HSM (FIPS 140-2 Level 3).

Isolation Multi-tenant with logical separation. Row-level security policies enforced at the database and a separate Postgres role per customer org.

Authentication UAE Pass and email + magic link. SSO via Microsoft Entra ID and Google Workspace on Growth and above. WebAuthn / passkeys on roadmap (Q4 2026).

Access controls Role-based on Solo and Growth (Owner, Bookkeeper, Viewer). Custom roles and audited break-glass on Scale.

AI & data usage Your data is never used to train shared models. Inference uses version-pinned model snapshots with no provider-side retention. Bring-your-own-key for embeddings on Scale.

Backups Continuous WAL archiving. Point-in-time restore for 35 days. Quarterly DR drill. RPO 15 min, RTO 4 h.

Compliance roadmap SOC 2 Type II under audit (target Q1 2027). ISO/IEC 27001 scoped. UAE PDPL compliant from day one; DIFC Data Protection Law adhered to where applicable.

Incident response On-call rotation 24/7. Customer notification within 24 hours of confirmed material incident. Public status page at status.ledgr.ae.

Subprocessors Microsoft Azure (hosting), Stripe (billing), Lean & Tarabut (Open Finance), Twilio (WhatsApp Business). Full list updated quarterly.

Have specific questions?

Talk to a security engineer.

Reach our team directly. We will share the security questionnaire, the latest pen-test summary, and architecture diagrams under NDA.

ceo@theupcapital.com Join the waitlist