Security & Compliance · ISO 27001 · UAE PDPL · Data Sovereign

Your data stays
where you need it. Always.

Eshal is built for industries where data residency, compliance, and auditability are non-negotiable. Every deployment option, certification, and control is documented here - no vague claims.

See deployment options View certifications
ISO 27001 Certified UAE PDPL Compliant DIFC DPL 2020 TDRA Aligned UAE Data Sovereign GDPR Compliant
Data Sovereignty

Citizen, patient, and customer data never leaves the country. Ever.

Every Eshal deployment is pinned to a specific geographic region. Data is processed, stored, and backed up exclusively within that region. No cross-border transfer occurs without explicit written consent.

UAE - Primary Region

All UAE deployments run on OVHcloud Dubai. Data processed, stored, and backed up exclusively within the UAE. Meets CBUAE, DHA, MOH, TDRA, and UAE PDPL residency requirements.

In-country sovereignty certificate · OVHcloud Dubai · Primary region for all UAE deployments

KSA - Saudi Arabia

Saudi deployments run on infrastructure within the Kingdom. Meets SDAIA PDPL and SAMA data localisation requirements for regulated deployments.

Saudi data residency for KSA-regulated deployments

EU - European Region

GDPR-compliant European residency for deployments serving EU data subjects. Standard Contractual Clauses provided. Data never transits outside the EEA.

GDPR-compliant EU residency for European deployments
Infrastructure residency certificates are provided for government and regulated procurement. Data Processing Agreements (DPAs) are available for every deployment region upon request.
Deployment Options

Three ways to run Eshal.
One level of security.

Choose the deployment model that matches your organisation's compliance posture and IT infrastructure - from managed cloud to fully air-gapped on-premise.

Managed Cloud

Fully managed SaaS deployment on Eshal's UAE-hosted infrastructure. Fastest time to go live - typically one day.

  • UAE data residency (OVHcloud Dubai)
  • ISO 27001 infrastructure
  • 99.9% uptime SLA
  • Automatic security updates
  • Multi-tenant with strict isolation
  • Data residency certificate on request
Best for: SMBs, mid-market, most enterprise

Private Cloud

A dedicated Eshal instance inside your own cloud account (UAE AWS, Azure UAE, or your OVHcloud tenancy). Your infrastructure, our software.

  • Isolated instance - no shared compute
  • Your cloud account, your keys
  • BYOK (Bring Your Own Key) encryption
  • Custom data retention policies
  • VPC peering to your existing systems
  • Dedicated IP and network controls
Best for: banks, government agencies, healthcare groups

On-Premise / Air-Gapped

Full Eshal platform deployed inside your own data centre. No data leaves your walls. Managed via Eshal's Distributor console.

  • Runs entirely within your infrastructure
  • Air-gapped deployment available
  • Distributor console for multi-tenant ops
  • Self-hosted LLM models supported
  • No internet connectivity required
  • Full source access on enterprise plans
Best for: federal government, defence-adjacent, highest-sensitivity data
192
vCPU cores
384GB
RAM
12
Instances
99.9%
Uptime SLA
Data Architecture

How data flows - and where it stops.

A complete picture of how customer data moves through the Eshal platform, what stays in your region, and what never leaves your control.

Customer
WhatsApp message Web chat Voice / API Eshal ingestion layer
Encryption
TLS 1.3 in transit+ AES-256 at rest+ PII masked by default
AI Processing
Language detection Intent classification LLM inference Response generated All within your region
Storage
Conversation logs Knowledge base Agent config Audit records All stored in UAE only
Never leaves
✕ Customer PII ✕ Conversation content ✕ Business data ✕ Used for training
Integrations
Your EHR / CRM Eshal (in your region) API calls stay within your VPC or are VPN-tunnelled
Isolated workspaces

Every organisation gets a sandboxed workspace - its own agents, knowledge base, inbox, and data. No cross-tenant data access is architecturally possible.

Separate encryption keys

Each tenant's data is encrypted with a unique key. Private Cloud and On-Premise deployments support BYOK - you hold the master key, we cannot access your data.

RBAC within your workspace

Granular roles: Platform Admin, Agent Builder, Viewer. Every permission is scoped to your org only. Access logs available in real time.

Certifications & Compliance

Every certification your procurement
team will ask for.

Eshal meets the compliance requirements for regulated industries across the UAE, GCC, and global markets.

Active

ISO 27001:2022

Information security management system. Covers access control, incident response, risk management, encryption, and change management. Audited annually by an accredited third party.

Scope: Full platform · Certificate available on request
Compliant

UAE Federal Data Protection Law (PDPL)

Federal Decree-Law No. 45 of 2021. Covers consent, data subject rights, processor obligations, and cross-border transfer restrictions. All UAE deployments comply by default.

Scope: All UAE-deployed workspaces · DPA available
Compliant

DIFC Data Protection Law 2020

DIFC DPL 2020 and associated regulations. Covers data processing, international transfers, and subject access rights for DIFC-registered entities and their processors.

Scope: DIFC deployments · Processor agreement available
Aligned

TDRA Digital Service Standards

UAE Telecommunications and Digital Government Regulatory Authority standards for digital government services. Required for public sector and smart government deployments.

Scope: Government deployments · Assessment report available
Compliant

GDPR (EU General Data Protection Regulation)

Full GDPR compliance for EU and EEA data subjects. Covers lawful basis, data minimisation, subject rights, DPO engagement, and cross-border transfers via Standard Contractual Clauses.

Scope: EU-resident data subjects · SCCs and DPA available
Aligned

HIPAA-Aware Architecture

Built with PHI and PII handling controls consistent with HIPAA requirements. Encryption, access controls, audit logging, and BAA availability for US-compliant healthcare deployments.

Scope: Healthcare deployments · BAA available for enterprise
Aware

PCI DSS Awareness

Payment handling workflows are architected to avoid direct PCI scope. Card data is never stored or processed by Eshal - payment links route to compliant payment processors.

Scope: Payment-adjacent workflows
Aligned

CBUAE & DFSA Guidelines

Aligned with Central Bank of UAE and Dubai Financial Services Authority technology risk and outsourcing guidelines for financial service deployments in UAE and DIFC.

Scope: Banking & finance deployments
2026

SOC 2 Type II

Security, availability, and confidentiality trust service criteria. Audit in progress - report expected H2 2026. Bridge letter available for enterprise procurement requirements.

Scope: Full platform · Bridge letter available now
By Industry

Compliance built for your sector.

Every regulated industry has additional compliance requirements. Eshal is pre-configured for each.

Banking & Finance

Central bank and financial regulator requirements across MENA

CBUAEDFSASAMA

Healthcare

Health authority data handling and patient privacy standards

DHAMOH UAEHIPAA-aware

Government

UAE public sector digital and data governance frameworks

TDRAUAE PDPLOn-premise

Telecom

Telecom regulator subscriber data requirements

UAE TRACITC KSABSS/OSS
Encryption & Security Controls

The technical details your
security team needs.

Exact specifications for every encryption layer, key management approach, and security control. No vague claims.

Encryption specifications

LayerStandardNotes
Data at restAES-256-GCMAll volumes and databases
Data in transitTLS 1.3TLS 1.2 minimum, 1.3 default
Key managementAES-256BYOK on private cloud
PII maskingSHA-256 hashOn by default in all tiers
Password hashingbcrypt r=12Salted per-user
API tokensSHA-256 HMACShort-lived, rotatable
BackupsAES-256-GCMEncrypted before write

Access & authentication controls

Multi-factor authentication (MFA)
TOTP and FIDO2 supported. Enforced on admin accounts by default.
SSO / SAML 2.0 / OIDC
Enterprise identity provider integration. Okta, Azure AD, Google Workspace.
Role-based access control (RBAC)
Granular roles: Admin, Agent Builder, Viewer. Scoped strictly to org.
IP allowlisting
Restrict platform access to approved IP ranges. Available on all plans.
Session timeout & token expiry
Configurable session duration. JWT expiry enforced. Refresh token rotation.
Annual penetration testing
External pen test by accredited firm. Executive summary available to enterprise customers.
Audit Trail

Every action. Every actor. Every second.

Every interaction with Eshal - customer conversations, agent actions, platform changes, API calls, escalations - is logged in an immutable, searchable audit trail. Regulatory-grade records for compliance, investigations, and FOI requests.

Audit Log - All events
TimestampActorActionChannelResult
2026-04-14 09:14:22Eshal AI AgentResolved shipment tracking query - AWB 1234567890WhatsAppResolved
2026-04-14 09:16:05Eshal AI AgentEscalated to human - KYC document validation failedWeb chatEscalated
2026-04-14 09:18:41Eshal AI AgentAction blocked - transfer AED 50,000 requires human approvalWhatsAppBlocked
2026-04-14 09:21:03admin@bank.aeUpdated knowledge base: "Loan eligibility criteria 2026"DashboardAdmin
2026-04-14 09:24:17Eshal AI AgentResolved balance query - Account **** 4412AppResolved
2026-04-14 09:27:58Eshal AI AgentEscalated to fraud team - suspicious transaction patternWhatsAppEscalated
Audit logs are immutable - they cannot be edited or deleted, even by Eshal admins. Logs are retained for the period specified in your DPA (minimum 7 years for UAE regulated industries). Export in JSON, CSV, or directly to your SIEM.

Security questions? We'll answer every one.

Our security team will walk you through architecture, certifications, and data flows for your specific deployment. Penetration test reports and DPAs available for enterprise evaluations.

Book a Security Review Contact Security Team