GCC Lead

Security

The platform our enterprise customers run on.

Security and compliance are the floor, not a feature. This page covers how we host the platform, how we handle data, and which frameworks we align with. Detailed documentation, audit reports and DPAs are shared under NDA at engagement start.

Last updated · May 2026

1. Hosting & infrastructure

Production workloads run on hardened EU/UAE-region infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+). Network access to datastores is private-only; ingress runs through a single managed gateway with WAF rules tuned to the GCC traffic profile.

2. Compliance frameworks

  • UAE Personal Data Protection Law (PDPL) — alignment to all subject-rights and notice obligations.
  • Saudi Arabia PDPL — applicable processing handled under SDAIA-aligned controls.
  • EU GDPR — applied where data subjects qualify; lawful basis is documented per processing activity.
  • ISO 27001 framework — controls implemented; certification roadmap on request.

3. Data handling

We process publicly available real-estate listing data only. We do not ingest gated or authentication-protected fields, do not bypass technical controls and respect every source's robots.txt and terms of service. Source provenance is tracked at the record level for audit and subject-rights workflows.

Customer-side data (account contacts, run metadata, exports) is segregated per tenant. Backups are encrypted, geo-redundant within the region, and retained per the contractual schedule (default: 30 days operational, archival on request).

4. Access & identity

Production access is restricted to a small operations group and gated by phishing-resistant 2FA. SSH access is keys-only. Admin actions are audited and stored to a write-once log. We support customer-side SSO (SAML / OIDC) on platform-access engagements.

5. Vulnerability disclosure

Security findings can be reported privately to security@gcclead.com (PGP key on request). We acknowledge within one business day and target a fix within 30 days for confirmed issues. Coordinated disclosure is the default; researchers are credited unless they prefer otherwise. See also /.well-known/security.txt.

6. Subject rights

Individuals whose details appear in our dataset can request access, correction, restriction, or erasure via privacy@gcclead.com. We honour the statutory window of the relevant jurisdiction and add requesting domains/phone numbers to a permanent suppression list so future processing skips them.

7. Documentation under NDA

The full security documentation pack — DPA template, sub-processor list, architecture diagram, control matrix, latest pen-test summary — is shared under NDA at engagement start. Reach security@gcclead.com to request the package.