ZATCA-Approved Security, Compliance & Data Protection

Data Security & Hosting

Secure Cloud Infrastructure

FatooraOnline runs on Oracle Cloud Infrastructure in Jeddah to keep your invoice data inside the Kingdom. Our stack follows national guidance and is engineered to stay available during peak periods.

Hosted in KSA on Oracle Cloud Infrastructure (OCI, Jeddah) 🇸🇦

Aligned with NDMO data governance & CST (formerly CITC) security guidance

High-availability architecture targeting 99.95% monthly uptime

Modern encryption: TLS 1.3 in transit, AES-256 at rest; strict key governance

Multi-Layer Protection

Threats are mitigated at the edge and in runtime with layered controls and continuous monitoring.

Web Application Firewall (WAF), DDoS controls & intelligent rate limiting

Real-time threat detection, alerting, and operational dashboards

Isolated dev / staging / production with least-privilege access

Secure secrets & key management; change control & traceability

ZATCA Compliance & Regulatory Alignment

As a ZATCA Phase-2 Qualified Solution Provider, we implement clearance and archival requirements end-to-end, so finance teams can issue invoices with confidence.

Supports Standard & Simplified invoices (UBL/XML with UUID)

Real-time clearance via Fatoora with resilient retry & queuing

QR code & cryptographic stamp applied post-clearance

Hash chaining across sequences for tamper evidence

Audit-ready archival: PDF/A-3 with embedded XML, retained 9 years

Device & Branch Controls

Operate safely across multiple entities and locations with clear accountability.

Device binding & UUID management for registered devices

VAT branch assignment & multi-entity support

Comprehensive audit trail for issuance, edits, approvals & voids

Operational Reliability & Observability

Built-in resilience ensures steady throughput even during transient network or platform events.

Automated retries & back-pressure queues for transient failures

Health dashboards & error tracking with root-cause insights

Exportable logs & clearance traces for investigations

Access Controls & Authentication

Granular RBAC & Approvals

Enforce least-privilege access across entities, branches, and functions with configurable approval flows that match your internal policies.

Fine-grained permissions for creation, review, approval & posting

Segregation of duties and time-bound scoped access

Centralized policy management with audit-ready evidence

Strong Authentication

Strengthen user access with modern authentication and session controls.

MFA (OTP / authenticator apps) and SSO integration

Hardened password policies & session management

IP allow-listing and contextual access checks (where required)

User Activity & Auditability

Every critical action is captured with the context you need for reviews and audits.

Logs for logins, issuance, edits, approvals & deletions

Searchable by user, action and time; export-ready for audits

Certifications, Backups & Audit Readiness

Certifications & Governance

Our management systems and privacy practices support consistent quality and regulatory confidence.

ISO 27001 (ISMS) — information security management

ISO 9001 — quality management

PDPL-aligned privacy practices; GDPR-aligned where applicable

Backups & Continuity

Your data is backed up and recoverable with regular testing and clear targets.

Daily encrypted backups with 30-day retention (configurable)

Periodic restore tests; documented RTO/RPO targets

Disaster-recovery drills and runbooks for critical services

Audit-Ready Evidencing

Make reviews straightforward with clear records and scoped access for auditors.

Comprehensive audit logs & approval trails

Export-ready clearance and payment records

Time-bound, role-scoped access for external auditors