Abzer operates a formal Information Security Management System (ISMS) aligned with ISO/IEC 27001. Security policies and controls are reviewed regularly and audited internally. Responsibility for data protection is embedded across business units and overseen by a dedicated Information Security & Compliance function. All employees and contractors receive mandatory training on confidentiality, data handling, and cybersecurity awareness.

FatooraOnline is deployed on Oracle Cloud Infrastructure (OCI) within certified data centers in the Kingdom of Saudi Arabia. All production data — including invoices, configurations, and archives — is processed and stored exclusively within KSA in accordance with NDMO data localization principles. Infrastructure is designed for redundancy and availability across multiple availability domains. No permanent data storage or backup occurs outside the Kingdom. Temporary encrypted transfers may occur only for incident investigation or disaster recovery, under strict authorization and PDPL-compliant safeguards.

Abzer applies defense-in-depth measures: AES-256 encryption for data at rest and TLS 1.3 for data in transit. Access is controlled via role-based access control (RBAC), multi-factor authentication (MFA), and least-privilege principles. All access and administrative actions are logged and periodically reviewed to detect anomalies or unauthorized activity.

The Platform uses a segmented, firewall-protected network architecture monitored by intrusion detection and prevention systems. OCI native security tools (Vulnerability Scanning Service, Security Zones) support system integrity. Inbound and outbound traffic is subject to access control and continuous monitoring. Regular penetration tests and vulnerability assessments are conducted internally and by independent security professionals.

Abzer follows secure software development lifecycle (SDLC) practices. Source code undergoes peer review, automated static analysis, and secure build pipelines before deployment. Patches and updates are released on a controlled schedule. Multi-environment segregation ensures development and test environments cannot access live production data.

Abzer operates as a Data Processor under Saudi Arabia’s PDPL, processing data only under documented Merchant instructions (the Data Controller). Practices align with PDPL principles of purpose limitation, data minimization, and security. FatooraOnline supports Merchant compliance with ZATCA Phase 2 e-invoicing requirements, including generation and clearance of structured XML and PDF/A-3 invoices.

Abzer aligns controls with international frameworks including ISO 27001:2013, SOC 2 (Type I/II), NDMO standards, and ZATCA e-invoicing requirements. This alignment is descriptive of practices and does not itself guarantee third-party audit scope or certification.

The architecture is designed with high availability and redundancy to minimize disruption. Data is backed up daily, encrypted, and replicated within KSA availability domains. Disaster recovery procedures are in place and tested periodically. Specific RTO/RPO figures are operational targets and not contractual guarantees.

Abzer maintains an incident-response process for detection, assessment, containment, and recovery. In a verified incident Abzer acts per law and internal procedures to mitigate impact and restore service. Notifications to Merchants or regulators will occur where required by law after verification and assessment. Incidents are logged, reviewed, and used to improve defenses.

Sub-processors and partners are evaluated for compliance with Abzer’s security and privacy standards prior to onboarding. Written agreements require confidentiality, data protection, and PDPL-equivalent controls. Abzer maintains a list of sub-processors that may be shared upon request subject to confidentiality provisions.

Merchants share responsibility for secure use: implement strong access controls, protect credentials, ensure invoice data is accurate and lawful, and promptly notify Abzer of suspected security concerns. Security and compliance are shared responsibilities between the Merchant (data owner) and Abzer (service provider).

Abzer continuously reviews and enhances security, compliance, and privacy programs via internal audits, management reviews, and technology updates. Feedback and collaboration from Merchants are welcomed to improve overall resilience.

This statement is provided for transparency and information only. It does not create any warranty, representation, or contractual obligation on Abzer’s part, nor does it extend to third-party systems. All commitments related to services or performance are governed exclusively by the FatooraOnline Terms of Service.

This Statement and any related matter are governed by the laws of the Kingdom of Saudi Arabia, and the competent courts of Riyadh shall have exclusive jurisdiction.

For inquiries regarding security or compliance, please contact:

Security & Compliance Office – Abzer DMCC
Email: security@abzer.com | compliance@abzer.com