Security & Data Residency
For MENA enterprise clients: FraudSense supports UAE sovereign cloud deployment on AWS UAE region, Saudi deployment on AWS Riyadh, and fully on-premise deployment within your own infrastructure. Contact us to discuss your requirements.
Platform Security
Encryption in Transit
All API communication is encrypted using TLS 1.3. HTTP connections are rejected. Certificate pinning is supported for enterprise deployments.
Encryption at Rest
All database data is encrypted at rest using AES-256. Backups are encrypted with the same standard.
API Key Security
API keys are generated using cryptographically secure random UUIDs. Keys are stored as hashed values. Compromised keys can be revoked instantly.
Authentication
JWT tokens with 7-day expiry. Passwords hashed with bcrypt at cost factor 12. Email verification required before account activation.
Rate Limiting
All endpoints are rate limited at 1,000 requests per 15 minutes per IP. Replay attack detection blocks session token reuse within 60 seconds.
Audit Logging
Every API call is logged with timestamp, endpoint, risk score, and response time. Logs are retained for 24 months for audit purposes.
Data Residency Options
We understand that MENA banks and fintechs operate under strict data localization requirements. FraudSense offers three deployment models:
| Option | Data Location | Setup | Best For |
|---|---|---|---|
| Shared Cloud Default | US / EU (Railway) | Instant | Developers and startups |
| UAE Sovereign Cloud Available | AWS UAE (me-central-1) or Azure UAE North | 1β2 weeks | UAE banks β PDPL compliance |
| Saudi Sovereign Cloud Available | AWS Riyadh (me-south-1) | 1β2 weeks | Saudi banks β SAMA compliance |
| On-Premise Enterprise | Your own infrastructure | 2β4 weeks | Tier 1 banks β full data control |
UAE Sovereign Cloud
FraudSense can be deployed exclusively on AWS Middle East (UAE) region or Azure UAE North. All data β device intelligence signals, risk scores, session history, and client accounts β is processed and stored within UAE borders. This deployment satisfies CBUAE and UAE PDPL requirements for cloud outsourcing.
On-Premise Deployment
For banks requiring maximum data control, FraudSense is available as a Docker-based on-premise deployment. The entire platform β API, scoring engine, and database β runs within your own data center or private cloud. No data leaves your network. FraudSense provides the software license, deployment support, and ongoing updates.
Compliance
What data does FraudSense collect?
FraudSense collects device intelligence signals β not personal identity data. Specifically:
- β Device fingerprint (SHA-256 hash β cannot be reversed to a person)
- β Device model, OS version, environment signals
- β Network type and IP address
- β GPS coordinates (if your app has location permission)
- β Behavioral signals (touch patterns, typing speed)
- β Battery and sensor readings
FraudSense does not collect names, national IDs, passport numbers, financial account numbers, or any biometric data.
Third-party subprocessors
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Railway | Cloud hosting and PostgreSQL database | US / EU |
| Resend | Transactional email delivery | US |
| Stripe | Payment processing | US |
| ip-api.com | IP geolocation (IP address only) | EU |
For sovereign cloud or on-premise deployments, subprocessors are replaced with equivalents within your chosen jurisdiction.
Vulnerability disclosure
If you discover a security vulnerability in the FraudSense platform, please report it responsibly to support@getfraudsense.com. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.
Contact
For security or compliance inquiries: support@getfraudsense.com
For enterprise data residency discussions: support@getfraudsense.com