Governed private AI with reviewable evidence at every layer.
Iftah is built for enterprise review: encryption, RBAC, SSO, audit logging, network isolation, and AI-specific controls are ready today. Formal certifications are on the roadmap; customer-led security review is actively welcomed during procurement.
Where we stand today
- Architecture-level security in place — encryption, RBAC, SSO, audit
- ISO 27001 + SOC 2 Type II on active roadmap
- ISO 42001 (AI lifecycle and governance) planned after ISO 27001
- Customer-led penetration tests welcomed during procurement
Clear about certification status and review evidence.
We will not list certifications we do not hold. The platform is built with enterprise controls now; formal audits follow the company roadmap and customer procurement requirements.
ISO 27001
Information security management — on the active roadmap. Architecture controls in place; gap assessment and audit scheduling underway.
SOC 2 Type II
Trust services criteria for security, availability, and confidentiality. Type I audit precedes Type II observation window.
ISO 42001
AI management system. Planned to follow ISO 27001 completion. Maps to how the platform handles AI lifecycle, model governance, and accountability.
Customer-led review
We welcome customer penetration tests, security assessments, and architecture reviews during procurement. Threat models and architecture artifacts provided on request.
What's in place today, not on a roadmap.
These are the controls customers can review and validate during procurement — independent of certification status.
Encryption
AES-256 at rest. TLS 1.3 in transit. Standard cryptographic patterns inside the customer's environment.
Access control
Role-based access with fine-grained permissions. SSO via SAML 2.0 and OIDC. Customer-owned identity provider.
Audit logging
Every request, policy decision, model action, and admin event audit-logged. Prompt and response content follows the trace mode your team approves.
Network isolation
Namespace isolation, secrets management, network policies (ingress/egress), and air-gapped cluster support via standard Kubernetes.
Controls designed for AI threat models, not just web app risk.
Generic enterprise security is necessary but not sufficient for AI workloads. These controls are designed specifically for the AI attack surface.
Prompt injection defenses
Multi-layered detection at gateway and model layer. Configurable filtering, sanitization, and policy enforcement before model invocation.
Output filtering
PII redaction, content policy enforcement, topic restrictions, and configurable output guardrails — customer-defined, not Iftah-defined.
Configurable model output logging
Full trace, redacted trace, sampled trace, or metadata-only mode. Customer controls what's logged and where it's stored.
Data poisoning detection
Validation pipelines for fine-tuning datasets. Anomaly detection and provenance tracking for training data inside the customer's perimeter.
Architecture designed to support the regulations you're accountable to.
We do not claim certified compliance with regional regimes — compliance is the data controller's obligation. The deployment model gives customers controls and evidence for reviews against UAE PDPL, Saudi PDPL, DIFC, ADGM, Qatar data protection expectations, and financial-sector security expectations.
Data residency controls
Customer-selected region and provider. You control what data exits the perimeter — all exports require explicit customer approval.
Audit-ready logging
Requests, policy decisions, model actions, and admin events are logged with timestamp, identity, and policy outcome.
Access governance
Identity-bound permissions, service account isolation, and reviewable access patterns mapped to regulator expectations.
Next step