Property data deserves enterprise security. We start there.

Every PII field — Emirates ID, passport number, IBAN, salary, owner phone — is encrypted with AES-256-GCM before it ever touches the database. Encryption keys are managed in AWS KMS and never leave the cloud HSM.

Tenant-facing UIs only display the last four characters by default; a full read requires an additional auth challenge logged to the audit trail. Even a database leak would give an attacker nothing useful.

All production data is stored in the AWS me-south-1 region (Bahrain). Backups are encrypted, geo-replicated within the same region, and retained for 30 days.

On the Enterprise tier we can pin specific workspaces to AWS me-central-1 (UAE Dubai) on request, with no impact on platform features. This is offered to government and DLD-linked customers as part of the standard contract.

Every create, update, or delete that touches a financial or tenancy record is logged with: userId, workspaceId, action, entityType, entityId, before/after snapshot, IP address, user-agent and timestamp.

Audit logs are append-only. They're retained for five years to comply with the UAE Commercial Companies Law commercial record retention requirements. You can export the full audit log of your workspace as JSON at any time, on any tier.

Federal Decree-Law 45/2021 (UAE PDPL) sets out nine data subject rights — access, correction, deletion, portability, restriction, and more. PropertyPad surfaces these as platform features rather than ticket workflows.

A tenant can request a data export from their portal. A deletion request flows to a structured workflow, with financial records retained per the UAE Commercial Companies Law and PII redacted.

PropertyPad is built and operated by a team based in Dubai. Access to customer data follows the principle of least privilege — production access is restricted to a small number of named engineers, with every access logged.

We do not sell or share customer data. We do not train AI models on customer data without explicit opt-in.