We treat mobile numbers like card data.
Authmatech is built for compliance reviews — not around them. Every part of the stack that touches PII is encrypted, masked, audited, and inspected. This page is the source of truth for our controls, certifications, and policies.
Where we are. Where we’re going. Stated plainly.
If we haven’t shipped a certification yet, we say so. No optimistic claims.
The technical controls behind every claim.
Six load-bearing controls. Each is documented in our security packet with the corresponding implementation reference and audit evidence.
Encryption at rest
AES-256 field-level encryption for every MSISDN, API key, and operator ASE secret. Keys rotated on a published schedule, never co-located with ciphertext.
Masking in logs
A dedicated logging ObjectMapper redacts every PII-tagged field before logs leave the host. Full numbers never appear in observability tooling.
Tamper-evident audit
Every verification persists as a signed VN- / VNM- record. Retention durations are policy-configurable; exports are auditor-friendly out of the box.
Partner-channel transport
Operator calls flow over mTLS partner channels with HMAC-signed payloads. We never touch SMS infrastructure or SS7 routes.
In-region residency
KSA customer data served from KSA infrastructure. UAE and Egypt regions available on Enterprise. Cross-region replication only with explicit consent.
Anomaly & incident alerting
Real-time alerting on operator latency, key-rotation events, and balance threshold crossings. Webhooks for everything that matters operationally.
The documents your legal team is about to ask for.
Everything is on a single page — no procurement scavenger hunt.
Data Processing Addendum
Standard DPA available for sign-on at any tier.
Subprocessor list
Current subprocessors and the data they handle, kept current.
Subject access rights
End-user data access, correction, and deletion requests handled within SLA.
Incident response
Customer-impacting events notified within 24 hours. Post-incident review delivered within 7 days.
Found a vulnerability? Tell us first. We reward it.
We run a private disclosure program. Reports are triaged within one business day, and we publish a public security report after every material remediation.
- Provide a clear description of the issue, reproduction steps, and the affected endpoint or surface.
- Do not access, modify, or disclose data that is not yours.
- Do not run scans that materially degrade availability for other customers.
- Give us a reasonable time window to remediate before any public disclosure.
Submit a report
Encrypt sensitive reports with our PGP key — fingerprint below. Acknowledgement within one business day, remediation timeline within five.
[email protected]PGP fingerprint
9F4E 5A11 2B7C 8DDA 6E10 F03F 7C82 18AA 4E55 9D02
Get started in 24 hours
Replace your last OTP screen this quarter.
Book a 20-minute call. We will benchmark your traffic, scope the integration, and stand up a sandbox you can ship against the same week.