NeuralHR.AI Trust Center — Security, Privacy, Compliance
Employee data is the most sensitive data your business holds. This page documents how NeuralHR.AI protects it — security posture, third- party audits, encryption, sub-processors, regional data-protection alignment (UAE PDPL, Saudi PDPL, India DPDP Act 2023, GDPR), incident response, and the questions HR / security / IT teams ask during procurement.
Security & compliance posture
SOC 2 Type II
Annual SOC 2 Type II audit completed for the 2025–2026 cycle. Full report available under NDA on request to Growth + Enterprise prospects.
ISO 27001
ISO 27001 certification on roadmap for 2026 Q4. Information-security management system aligned with ISO 27001 controls today; formal certification audit planned.
Encryption
TLS 1.2+ in transit. AES-256 at rest. Database backups encrypted. Cloud KMS key management with HSM-backed keys for Enterprise customers.
Pen testing
Third-party penetration test annually + after major releases. Most recent: 2026 Q1 by an independent UAE-based security firm. Summary report available on request.
UAE PDPL
DPA template aligned with UAE Personal Data Protection Law. Optional UAE data residency on Enterprise tier. Breach notification per the 72-hour PDPL requirement.
GDPR
GDPR-aligned DPA with EU model clauses for cross-border data transfers. EU data subject rights workflows (access, rectification, erasure, portability) built into the platform.
India DPDP Act 2023
DPA template aligned with India Digital Personal Data Protection Act 2023. Data-principal rights workflows (access, correction, erasure). Optional India data residency on Enterprise tier.
Saudi PDPL
DPA aligned with Saudi Personal Data Protection Law. Optional KSA data residency on Enterprise tier.
Sub-processors
Third parties that process customer employee data on NeuralHR.AI's behalf. Each sub-processor is contractually bound by a DPA and named in customer DPAs. Material changes are notified at least 30 days in advance.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Primary cloud hosting (compute, storage, networking) | ME (Bahrain) for GCC; ap-south-1 (Mumbai) for India; eu-west-1 for fallback |
| Cloudflare | CDN + DDoS protection + DNS | Global edge |
| PostgreSQL (RDS-managed) | Primary OLTP database | Same region as customer tenant |
| SendGrid (Twilio) | Transactional email (verification, alerts, payslips) | US (with SCC for non-US data) |
| Twilio | SMS + WhatsApp Business notifications | Regional routing per customer's number |
| Sentry | Error tracking + performance monitoring | EU (Frankfurt) |
| Datadog | Infrastructure monitoring + log aggregation | EU (Frankfurt) |
| Stripe | Subscription billing and card processing | EU + US per customer billing entity |
| Google Cloud (Vertex AI) | AI co-worker model inference (where Anthropic / OpenAI not used) | Per-tenant region |
| Anthropic | Claude model inference for AI co-workers | US (with DPA) |
| OpenAI | GPT model inference for select AI workflows | US (with DPA) |
Incident response SLAs
| Severity | Acknowledge | Remediate | Notify customers / regulators |
|---|---|---|---|
| Critical (data breach / extended outage) | ≤ 1 hour | ≤ 4 hours | ≤ 72 hours per UAE PDPL / GDPR |
| High (single tenant impact) | ≤ 2 hours | ≤ 8 hours | Within 7 days |
| Medium (degraded service) | ≤ 4 hours | ≤ 24 hours | On request |
| Low (cosmetic / minor) | ≤ 1 business day | Next release cycle | On request |
24/7 named on-call rotation. Status page at status.neuralhr.ai (when live). Customer + regulator notification per UAE PDPL (72 hours), GDPR (72 hours), India DPDP Act timelines.
Documents available to customers
- SOC 2 Type II report (under NDA, on request)
- Standard security questionnaire response (SIG Lite / CAIQ / custom — within 5 working days)
- Penetration test summary (most recent, on request)
- DPA templates per region (UAE PDPL, Saudi PDPL, India DPDP, GDPR)
- Sub-processor list (this page, plus contractual notification of changes 30 days ahead)
- Incident response policy (on request)
- Business continuity / disaster recovery plan summary (on request)
Email contact@neuralhr.ai with subject “Security pack request” and we'll send the available documents under NDA where required, typically within 5 working days.
Frequently asked questions
Is NeuralHR.AI SOC 2 compliant?
Yes — SOC 2 Type II audit completed for the 2025–2026 cycle. The full report is available under NDA on request to Growth and Enterprise prospects. Email contact@neuralhr.ai with subject 'SOC 2 request'.
Where is my employee data stored?
Default: ME (Bahrain) AWS region for GCC customers, ap-south-1 (Mumbai) for India. Enterprise customers can choose UAE residency (in-country hosting partner), KSA residency (in-country hosting partner) or India residency (Mumbai). Data per entity stays in its chosen region; group-level analytics aggregate without moving employee PII across regions.
How is data encrypted?
TLS 1.2+ in transit (TLS 1.3 by default with 1.2 fallback). AES-256 at rest. Database backups encrypted. Cloud KMS key management; HSM-backed keys available for Enterprise customers.
Who can access my data?
On the customer side: only users with role-based access you grant. Five default roles (admin, HR manager, manager, employee, finance) plus custom roles on Enterprise. On the NeuralHR.AI side: production access is limited to a small on-call SRE team with named-account audit logging; customer support cannot access PII without explicit customer consent.
Do you have a Data Processing Agreement (DPA)?
Yes. DPA templates aligned with UAE PDPL, Saudi PDPL, India DPDP Act 2023, GDPR (with EU model clauses for cross-border transfers). Standard DPA available for self-serve download by Growth + Enterprise customers; bespoke amendments negotiable for enterprise procurement.
What happens to my data if I cancel?
Data export available anytime via UI / API in standard CSV format. After subscription cancellation, data is retained for 90 days for audit / re-activation, then permanently deleted from production systems and backups within a further 30 days (total 120 days).
How do you handle a data breach?
24/7 incident response with named on-call rotation. Critical incidents (data breach / extended outage) acknowledged within 1 hour, remediation within 4 hours, customer + regulator notification within 72 hours per UAE PDPL / GDPR requirements. Full incident-response policy available on request.
Do you support SSO and MFA?
Yes. SAML 2.0 SSO with Google Workspace, Microsoft Entra ID, Okta, Auth0, OneLogin, JumpCloud. OIDC supported. SCIM 2.0 user provisioning. MFA via TOTP (Google Authenticator, 1Password, Authy) or platform-level (Google / Microsoft). MFA mandatory on Enterprise tier.
What's your audit-trail retention?
All system actions (employee data access, payroll runs, salary changes, deletions, role changes, login events) timestamped and retained for 7 years per India DPDP Act and UAE PDPL audit requirements. Customer-accessible via UI on Growth + Enterprise tiers, via API on Enterprise.
Can I get the security questionnaire response?
Yes. The standard security questionnaire response (SIG Lite, CAIQ, custom) is available within 5 working days of request to Growth + Enterprise prospects. Email contact@neuralhr.ai with subject 'Security questionnaire'.
Want the full security pack before procurement?
Email contact@neuralhr.ai with subject “Security pack request”. SOC 2 + pen-test summary + DPA + sub-processor list typically delivered within 5 working days under NDA.