Waafir Security and Trust Center

At Waafir, we understand that the confidentiality and integrity of your deal data are paramount. Our institutional-quality Virtual Data Room (VDR) is built on a foundation of robust security architecture and transparent operational policies, ensuring your most sensitive information is protected at every stage.

1. Security Architecture and Controls (TOMs)

Our entire platform is hosted on Amazon Web Services (AWS), leveraging their world-class infrastructure to maintain the highest standards of security, availability, and resilience.

Data Protection and Encryption

Encryption In Transit: All data transmitted between your device and the Waafir platform is secured using industry-standard TLS 1.2+ encryption.
Encryption At Rest: All customer data, including documents and database entries, is stored using encrypted storage on S3 and other AWS services.
Data Perimeter: Our entire stack operates within a defined AWS Virtual Private Cloud (VPC), ensuring a strict data perimeter and minimizing external exposure.

Access Control and Authentication

Multi-Factor Authentication (MFA): MFA is required for all Waafir administrative access and is strongly recommended for all users.
Role-Based Access Control (RBAC): We enforce strict Role-Based Access Control (RBAC) with full granularity, ensuring users only have the minimum access necessary for their role (principle of least privilege).
SSO Integration: Seamless and secure Single Sign-On (SSO) integration is available (e.g., Google Auth) to leverage your existing identity provider.
Internal Access: Access to client data by Waafir employees is strictly logged, requires explicit approval for support or security purposes, and is governed by our internal Access Control Policy.

Accountability and Auditing

Comprehensive Audit Logs: All user and administrative access and activity within the VDR are tracked via comprehensive audit logs, providing an immutable record for compliance and forensic analysis.
Dynamic Watermarking: Documents are protected with dynamic watermarking to deter unauthorized sharing and aid in forensic tracking should a breach occur outside the platform.

2. Incident Response and Transparency

We maintain a formal Incident Response Policy to ensure rapid detection, containment, and recovery from any security event.

Incident Response Lifecycle

Our process follows a structured, five-step lifecycle:

Identification: Immediate detection and reporting of any event that threatens the confidentiality, integrity, or availability of Waafir systems or data.
Containment: Limiting the impact of the incident (e.g., disabling compromised accounts, isolating affected systems).
Eradication: Removing the threat from the environment (e.g., malware cleanup, patching vulnerabilities).
Recovery: Restoring systems and services to normal operation.
Post-Incident Review: Documenting the event, analyzing the root cause, and implementing improvements to prevent recurrence.

Notification and Compliance

Notification Commitment: If user data is compromised, Waafir will notify affected users and regulators without undue delay, consistent with the needs of law enforcement and applicable global regulations (e.g., UAE law, GDPR, CCPA).
Testing: Our Incident Response Plan is formally tested and reviewed at least annually.

3. Compliance and Certifications

We are committed to continuous improvement and validation of our security posture.

SOC 2: Waafir is actively working towards SOC 2 certification to provide independent assurance of our controls relevant to security, availability, processing integrity, confidentiality, and privacy.
Data Processing Agreement (DPA): For customers requiring a formal DPA for regulatory compliance (e.g., GDPR, CCPA), a separate agreement is available upon request.

For more detailed information on our security and data handling practices, please refer to our Terms and Conditions and Privacy Policy. Any further questions may be directed to support@waafir.io.