Trust Center

Security Controls by Deployment Model

Every WeSoar deployment — SaaS, private cloud, on-premises, or air-gapped — implements defense-in-depth security. Controls scale based on your deployment model and regulatory requirements.

Compliance & Certifications

WeSoar maintains compliance with international and regional standards relevant to regulated industries in the GCC, Europe, and North America.

ISO 27001:2022 — Information security management system covering all WeSoar operations, development, and hosting environments.

SOC 2 Type II — Annual audit covering security, availability, and confidentiality trust service criteria for the SaaS platform.

SAMA Cybersecurity Framework — Controls mapping available for Saudi financial institutions. WeSoar supports SAMA CSF domains including asset management, access control, and third-party security.

CBUAE Information Security Standards — Alignment documentation available for UAE financial institutions.

GDPR — Data processing agreement available. Privacy-by-design principles embedded in product architecture.

PDPL (Saudi Arabia) — WeSoar on-premises deployment ensures full PDPL compliance through in-Kingdom data residency.

Identity & Access Management

WeSoar implements enterprise-grade identity and access controls across all deployment models.

Single Sign-On: SAML 2.0 and OpenID Connect (OIDC) with support for Azure AD, Okta, OneLogin, PingFederate, and ADFS.

Role-Based Access Control: Granular RBAC with organization hierarchy-aware permissions. Configurable role templates for HR Admin, HR Business Partner, Manager, Employee, and Executive.

Multi-Factor Authentication: MFA enforcement available for all user types. Compatible with TOTP authenticators and hardware security keys.

Audit Trail: Immutable audit log of all user actions, data access, configuration changes, and AI interactions. Exportable to customer SIEM via syslog or API.

Incident Response & Vulnerability Management

Vulnerability Disclosure: WeSoar operates a responsible disclosure program. Security researchers can report vulnerabilities via our vulnerability reporting page.

Incident Response SLA: Critical incidents (P1) acknowledged within 1 hour, updates every 2 hours, root cause analysis within 5 business days. Severity-based escalation matrix available in the enterprise support agreement.

Patch Management: Critical security patches deployed within 24 hours for SaaS. On-premises customers receive emergency patch packages within 48 hours of CVE disclosure.

Business Continuity & Disaster Recovery

SaaS RTO: 4 hours. RPO: 1 hour. Multi-AZ architecture with automated failover.

Private Cloud: RTO/RPO aligned to customer SLA. Cross-region replication available.

On-Premises: DR architecture guidance provided. WeSoar supports active-passive and active-active deployment topologies.

Backup: Automated daily backups with 30-day retention (SaaS/Private Cloud). On-premises backup integration with customer backup infrastructure.

Subprocessor List

WeSoar SaaS uses a limited number of subprocessors for infrastructure and operational support. On-premises deployments have zero subprocessor dependencies.

Current subprocessors (SaaS): AWS (infrastructure hosting, EU-West-1 and ME-South-1 regions), Cloudflare (CDN and DDoS protection), Datadog (infrastructure monitoring — no PII), and SendGrid (transactional email). Full subprocessor list with data processing locations available upon request.