Trust · Security · Compliance

Built openly. Verified honestly.

Every claim on this page is labelled Live, In progress, or Planned. If it isn't Live, we won't pretend otherwise.

The pack is a ZIP with a one-page security fact-sheet, sub-processor register, DPA template, and full compliance dossier — everything a vendor-review team typically asks for on day one.

Designed & engineered in the United Arab Emirates
Made in the UAE — for the world.
Operated by ITHR Technologies Consulting LLC
Who issues credentials

Every credential is signed by a real UAE company.

The Academy is operated end-to-end by ITHR Technologies Consulting LLC — a UAE-registered consulting firm. We stand behind every certificate we issue, in our own name.

A real legal entity
Live
Credentials are issued by ITHR Technologies Consulting LLC, a UAE-registered consulting firm.
Documented pass rubric
Live
Every course lists its assessment format, passing threshold, and question style. Nothing is hidden.
Public verification registry
Live
Every issued credential is independently checkable at /verify/{id} — no login required.
QR-anchored PDF certificates
Live
The QR on every certificate resolves to the same public verification page.
Named authors on every course
In progress
Publishing credits to be shown on each course landing page.
External academic advisory board
Planned
A small external review board to oversee courseware quality and appeals.
Cryptographic signature + W3C Verifiable Credential format
Planned
Adds tamper-evident signatures interoperable with digital wallets.
Personnel-certification-body accreditation (ISO/IEC 17024)
Planned
The strongest international recognition for the issuer itself.
Security controls

What is protecting your data today.

Below is the honest picture: what is running in production right now, what we are actively working on, and what is still on the roadmap.

Live
Transport encryption (TLS)
All traffic to the Academy is served over HTTPS with modern cipher suites and HSTS on the production domain.
Live
Password hashing (bcrypt)
Learner passwords are stored as bcrypt hashes (12 rounds). Plaintext passwords are never logged or written to disk.
Live
JWT session tokens with expiry
Sign-in issues short-lived signed JSON Web Tokens; server verifies signature and expiry on every /api/* request.
Live
Role-based access control
Enterprise dashboards enforce owner / admin / member roles on every server endpoint — checks are not client-side only.
Live
Public credential verification
Every credential exposes a public /verify/{id} endpoint and a scannable QR — no login required to check authenticity.
Live
Server-rendered PDF certificates
Certificate PDFs are produced by our servers with an embedded verification QR — screenshots cannot be silently altered.
Live
Abuse rate-limiting on public demo
The anonymous try-a-lesson endpoint is rate-limited per IP to prevent token-farming and cost-abuse.
Planned
MFA + SSO (Azure AD / Okta / Google Workspace)
Enterprise single sign-on with MFA enforcement and SCIM auto-deprovisioning.
Planned
Envelope encryption at rest (KMS)
Managed keys for the production database, object storage, and backups. Available once we cut over from the current shared-cloud environment.
In progress
UAE data residency (AWS me-central-1 / Azure UAE)
The MVP runs in a shared cloud region today. UAE-resident production is the next infrastructure milestone before enterprise onboarding.
In progress
SOC 2 Type I readiness
Controls are being written up and evidence collected. We are not yet SOC 2 attested and do not claim to be.
Planned
ISO/IEC 27001 certification
On the roadmap. We reference ISO 27001 controls in our internal build but hold no certificate today.
In progress
UAE PDPL registration + designated DPO
The UAE Personal Data Protection Law applies to our UAE learners; we are preparing formal registration and appointing a Data Protection Officer.
Planned
Independent penetration test (CREST)
First external pen-test is scheduled ahead of enterprise general availability.
Data residency

Where your data lives today — and where it is going.

The MVP is deployed on a managed Kubernetes cluster in a shared cloud region. That is fit for demonstration and pilot workloads, not for regulated production. The next infrastructure milestone is to migrate to a UAE-resident production environment so that customer and learner data remains within the United Arab Emirates.

Enterprise customers with strict data-residency requirements can request the migration timeline and DPA terms before onboarding.

Today
Shared managed-Kubernetes cluster, MongoDB primary. Suitable for pilots.
Next
AWS me-central-1 (UAE) with MongoDB Atlas in-region, KMS at rest, TLS 1.3 in transit.
Guarantee once migrated
Customer data never leaves UAE borders. Backups and DR are also UAE-resident.
Sub-processors

Who we rely on to run the Academy.

Updated on any change
Sub-processor
Purpose
Region / notes
Status
MongoDB
Primary database (learners, courses, credentials)
Cloud region — see notes below
live
Anthropic
AI Tutor (Aletheia) + AI Mentor (Solon) + curriculum-signal drafting
Vendor default
live
Stripe
Payment processing (subscriptions, one-time, per-seat)
Vendor default; test key today
live
Google (Emergent-managed OAuth)
Sign in with Google
Google infrastructure
live
Resend
Transactional + weekly digest emails
Vendor default
planned (key not yet provisioned)
AWS (me-central-1)
Production compute, storage, KMS, WAF
UAE (Dubai / Etihad DC)
planned

We do not sell learner data, and we do not use enterprise customer data to train third-party AI models. If a sub-processor changes, this page is the source of truth.

What we do not claim

Honest limits.

  • · We are not yet SOC 2 attested. Any footer badge, brochure, or reseller deck that says otherwise is incorrect — please tell us so we can fix it.
  • · We do not yet hold ISO/IEC 27001 certification.
  • · We do not yet hold ISO/IEC 17024 personnel-certification-body accreditation. Our credentials are trustworthy because of our public verification registry, published rubric, and legal entity behind them — not because of an external body.
  • · Data does not yet reside inside UAE borders in production. The MVP runs in a shared cloud region. UAE residency is the next infrastructure milestone.
  • · Payments today use a Stripe test key. Real transactions require the live-key cutover.

We prefer to publish this candid list rather than let a procurement questionnaire discover it. When any of the above changes, this page is updated the same day.

Report a security issue

Responsible-disclosure researchers are welcome. Please email us before public disclosure.

security@ithr.ae
Data-subject requests

Access, correction, portability, or deletion — we aim to respond within 30 calendar days.

privacy@ithr.ae
Request a DPA

The DPA template ships inside the procurement pack. Executed DPAs are exchanged during procurement.

Trust page · Last generated on page load · 2026-07-06
Verify a credential