Security & data residency
Built for tax documents.
Your invoices are regulated business records under UAE Federal Decree-Law No. 28 of 2022. We treat them that way — encrypted before they land in storage, kept in a UAE region you can point to on a map, and exportable on request.
Your invoices are encrypted — end‑to‑end.
ScanVAT holds tax documents. We treat them that way. Every file is encrypted the moment it arrives and stored in a UAE region you can point to on a map.
Encrypted at rest
Every invoice you upload is encrypted with AES-256 the moment it lands in storage.
Encrypted in transit
TLS 1.2+ on every request between your phone, your accountant’s browser, and our API.
Stored in the UAE
Your invoices live in AWS me-central-1 (Dubai) — never leaving the country.
Only you can read your data
Storage is private. Access goes through short-lived signed links scoped to your account.
AES‑256 encryption at rest (AWS S3 SSE) · TLS 1.2+ in transit · AWS me‑central‑1 (Dubai) · Aligned with UAE Ministerial Decision No. 243 of 2025 on data residency.
Specifics
The technical detail, on the record.
Encryption at rest
Every invoice photo, PDF, and report you upload is encrypted with AES-256 (SSE-S3) the moment it lands in storage. Logos, attachments, and audit-pack exports use the same encryption. Decryption keys are managed by AWS KMS inside the same UAE region.
Encryption in transit
All traffic — from your phone, your accountant's browser, our API, and our storage — uses TLS 1.2 or higher. We do not accept unencrypted connections. Certificates are issued by Let's Encrypt and AWS ACM and renewed automatically.
Data residency in the UAE
Invoice scans, OCR results, and Form 201 exports are stored exclusively in AWS me-central-1 (Dubai). This aligns ScanVAT with UAE Ministerial Decision No. 243 of 2025 on tax-document residency and the five-year retention requirement under Federal Decree-Law No. 28 of 2022, Article 78. We do not replicate to other AWS regions.
Full audit trail
Every action — every invoice scanned, every Form 201 export, every login — is logged with timestamp + user ID. Audit trails are exportable on request for FTA inspection. Logs are written in append-only mode and retained for the full five-year compliance window.
You can export everything, anytime
From Profile → Export data in the mobile app or portal you can download every invoice (image + structured JSON), every Form 201 export, and the full audit log as a single ZIP. No support ticket required, no waiting.
Right to delete
Delete your account from the app or write to us at hello@scanvat.app. We honour deletion requests within 14 days. Retention exceptions: invoice records subject to UAE's five-year tax-archive requirement are retained until the legal window closes, then purged automatically.
For deeper technical due diligence
We don't yet publish a SOC 2 Type II or ISO 27001 certificate (we're a young product) — but we're happy to share our internal security posture, infrastructure diagrams, and penetration test results under NDA with any prospective business customer who asks. Email security@scanvat.app.
Report a vulnerability: security@scanvat.app. We'll acknowledge within 48 hours. Responsible disclosures are credited (with your permission) on a public hall-of-fame.