Security & data

Procurement-grade security and data handling.

The same posture that ministry, advisory, and finance teams sign off on — built into every Rawia workspace from day one.

Need a DPA? Read privacy policy

Trust posture · Phase 5

Two deployment models

Public cloud, or your own.

Public cloud

Multi-tenant SaaS hosted in our AWS region (me-central-1, UAE; KSA region-pinning available). Procurement-grade controls — encryption, SSO, audit logs, role-based access — applied uniformly across tenants.

Enterprise · private cloud

Rawia deployed inside your own AWS account. Your VPC, your KMS keys, your CloudTrail. Data never leaves your environment — not by transit, not by replication, not by support access. The strongest possible answer to data-residency requirements.

Data handling

Your content, your control.

No-training

Customer Content is never used to train foundation models. We cascade this requirement to our commercial LLM endpoint providers — your content is not used to train their models either.

Encryption

TLS 1.2+ in transit. AES-256 at rest. Per-customer S3 prefixes with isolated IAM scopes. Enterprise: keys you control via your own KMS.

Data residency

Enterprise — Rawia runs in your AWS account; data never leaves your environment. Public — AWS me-central-1 (UAE) by default, with KSA region-pinning available.

Retention by data class

Uploaded documents: 30 days post-job. Deliverables: contract duration + 30-day grace. Operational logs: 24 months. Billing records: 10 years (longest statutory floor — France, Italy, Germany, KSA). GDPR erasure: content deleted; billing pseudonymized. In-app delete or privacy@mzx.ai.

Access controls

Who sees what, and when.

Public cloud

SSO

SAML 2.0 / OIDC on Enterprise plan. Cognito-backed for self-serve workspaces.

Audit logs

Admin actions and data access logged with timestamps and user identity. Exportable on Enterprise.

Roles

Read / Edit / Admin per workspace. Per-user invite and revoke from the portal.

Enterprise · private cloud

Zero MZX human access

Rawia runs inside your AWS account. No MZX employee can read your data — your IAM and your CloudTrail govern every access. Only machines in your environment process content. Bedrock model invocations stay inside your account and are not logged on our side.

Sub-processors

Who touches your data.

Foundation models

Request-time only — your content is forwarded to provider APIs to fulfil a single generation, never stored on the provider side beyond their own logging windows. On Enterprise (private cloud), models are invoked via AWS Bedrock inside your account — providers are not MZX sub-processors in that mode.

OpenAI · Anthropic · AWS Bedrock · Google Cloud Vertex AI · Perplexity · Mistral.

Infrastructure

AWS — compute, storage (S3), email (SES), and email-validation. All hosted in our designated region with per-customer IAM scoping.

Billing

Stripe — subscription and top-up billing. Stripe never sees Customer Content; only billing identifiers and amounts.

Full list and roles: see Privacy Policy §6.

Compliance

Compliance posture.

GDPR / UK GDPR aligned

UAE PDPL aligned

KSA PDPL aligned

SOC 2 in progress

Procurement

Need a custom DPA, on-prem deployment, or region-pinning?

Talk to sales Start today