Security & Privacy

Enterprise-Grade Protection
for Every Connection.

EngageX is built with a privacy-first, security-by-design architecture that protects event data, attendee information, and business interactions across every stage of the event lifecycle.

From identity and access control to encryption, consent management, and secure infrastructure — EngageX gives organisers and participants the confidence to connect securely.

GDPREU compliant
DIFC DPLDubai compliant
UAE PDPLUAE compliant
AES-256at rest · TLS 1.3 in transit
Network Security

Protecting the platform through continuous monitoring, secure access controls, and infrastructure-level safeguards designed to prevent unauthorized access.

Vulnerability scanning
Access control
Secure vendor ecosystem
AES-256 ENC
Data Security

Safeguarding data at rest and in transit with strong encryption, secure hosting practices, and structured privacy controls across the platform.

AES-256 encryption
Secure cloud hosting
GDPR-aligned processing
SecOps Console · LIVE Incident Response OK Access Audit Log Staff Training Status Risk Assessment
Operational Security

Embedding security into day-to-day operations through controlled processes, staff awareness, risk management, and rapid incident response readiness.

Security training
Internal controls
Incident response readiness
Privacy-First Architecture
Role-Based Access Control
Consent Management
Encrypted Data Flows
Audit-Friendly Workflows
Secure Authentication

Built for three regulatory regimes at once

EngageX is operated by a DIFC-registered entity and designed to comply with all three frameworks in parallel. Where obligations overlap, the most stringent standard wins by default.

DIFC Data Protection Law 2020
Primary applicable law. Registered with the DIFC Commissioner of Data Protection. 30-day data-subject-rights SLA. 72-hour breach notification. DPO-led compliance programme.
UAE Personal Data Protection Law
Federal Law No. 45/2021. Explicit, specific, withdrawable consent. Special-data controls for portrait photographs. Data-residency-aware architecture.
EU General Data Protection Regulation
Applied by default across all users. DPIA for AI matchmaking. Standard Contractual Clauses for EU→DIFC and onward US transfers. Match explanations satisfy Article 22.
SOC 2 Type II and ISO 27001 certification programmes are on the roadmap — current status available on request.

The enterprise security posture, in detail

Everything procurement asks on day one — written out plainly, with the specific mechanisms we run.

Identity & Access

MFA mandatory. 11 roles. Least privilege, everywhere.

Every user account requires multi-factor authentication. JWT access tokens expire every 15 minutes; refresh tokens rotate on a 30-day rolling window and live in HTTP-only, Secure, SameSite cookies. Failed logins trigger exponential backoff and lock the account after 10 attempts.

  • MFA mandatory · all accounts, all roles
  • JWT 15-min access · 30-day rotating refresh
  • 11 roles · fine-grained RBAC at NestJS guard layer
  • Google + LinkedIn OAuth · SAML/Okta on roadmap
Encryption & Transport

AES-256 at rest. TLS 1.3 in transit. mTLS internal.

PostgreSQL is encrypted at rest with AES-256. MinIO object storage uses server-side encryption (SSE-S3) with keys managed by the MinIO KMS and rotated annually. Every client-to-API hop is TLS 1.3. Every internal service-to-service call is mTLS.

  • AES-256 · database + object storage
  • TLS 1.3 client → API, auto HTTP→HTTPS
  • mTLS between NestJS API and CorteX microservices
  • Annual key rotation · keys stored separately
Data Residency

EU-resident by default. SCCs for every onward transfer.

Primary storage sits on Hetzner VPS in Helsinki, Finland. No hyperscaler dependency — no AWS, no Azure, no GCP for primary data. Cross-border transfers to US AI sub-processors flow through Standard Contractual Clauses combined with explicit user consent. Every transfer has a Transfer Impact Assessment on file.

  • Hetzner Helsinki · EU-resident primary data
  • PostgreSQL 16 + self-hosted MinIO · no hyperscaler
  • SCCs + TIA for US AI sub-processors
  • Internal CorteX microservices · never public-facing
Consent & Rights

7 consent purposes. 7-year audit. 30-day DSR SLA.

A two-layer consent system: a live status table, plus an append-only ConsentCapture audit trail that logs every grant, withdrawal, and recapture with IP, user agent, wording version, and channel. All seven data-subject rights are implemented with a 30-day response window. Erasure cascades through profile, portraits, meetings, and connections.

  • 7 granular purpose codes · versioned wording
  • Append-only audit · 7-year retention
  • Access · Erasure · Portability · Rectification · Objection · Restriction · ADM review
  • Self-service endpoints · /privacy/consent, /data-subject/export

Our sub-processor register

Every vendor that processes personal data on our behalf. Every transfer mechanism. No hidden pipes.

Anthropic
Claude API · meeting analysis, matchmaking, virtual SDR, chatbot
USA
SCCs + user consent
OpenAI
Whisper API · meeting transcription · GPT-4o-mini · vision OCR
USA
SCCs + user consent
Hetzner
Infrastructure · VPS + primary database hosting
Helsinki (EU)
EU-resident · no transfer
Sentry
Error tracking · stack traces, session identifiers
USA / EU
SCCs
Microsoft 365
Transactional email · notifications & DSR delivery
USA / EU
Standard DPA
Firebase FCM
Push notifications · device tokens only
USA
Google DPA
No payment processor is currently active — a payment module is built but not live. This register is updated on every vendor change.

Breach response · 72 hours, by procedure

If a breach ever occurs, a documented six-step procedure runs. Detection, containment, notification assessment, regulatory notification within 72 hours, data-subject notification where risk is high, and a written post-incident review within 30 days.

  1. 10–4 h · Detect & assess
  2. 20–24 h · Contain & isolate
  3. 34–24 h · DPO & legal review
  4. 4<72 h · Notify DIFC Commissioner (+ EU SA if EU data)
  5. 5Without delay · Notify data subjects if high-risk
  6. 6<30 days · Written post-incident review
GDPR-aligned
AES-256 encryption
Zero data loss architecture
24/7 operational monitoring
Continuous threat scanning
Get In Touch

Ready to transform
your next event?

Get in touch with our team and discover how EngageX connects visitors, exhibitors, and organisers with real purpose.

Phone / WhatsApp
+971 4 000 0000
HQ
Innovation Hub, AI, DIFC Dubai, UAE

Get in Touch with Us