Security · stonifi.co.uk
Built secure.
Audited honestly.
We don’t over-claim. Here’s exactly what’s shipped, what’s in audit, and what we don’t do yet.
Shipped controls
GDPR + UK DPA 2018
Data subject access requests, consent records, regional API endpoints, multi-currency billing per region. Live since April 2026.
ZATCA Phase 2 (Wave 24)
QR codes, XAdES-BES signing, CSID lifecycle, B2B clearance, B2C reporting. Compliance queue with retry. 24 dedicated endpoints.
GOSI / Nitaqat / Mudad
Saudi labour law in the box: 11.75% employer GOSI calc, Nitaqat saudization bands, Mudad/WPS payroll exports, end-of-service.
TOTP MFA
Fernet-encrypted secrets, SHA-256 recovery codes, 5-minute temp tokens, login challenge flow.
Row-Level Security (RLS)
Multi-tenant Postgres with RLS ENABLED + FORCED on 110+ tables. 1,153 permission enforcement points across backend + frontend.
HashiCorp Vault Transit (Mail Hub)
AppRole-authed KMS, all mailbox credentials encrypted at rest. Per-tenant key rotation.
In audit / progress
ISO 27001
Statement of Applicability drafted. External audit scheduled. Targeting certification by Q4 2026.
On the roadmap
SOC 2 Type II
We don’t claim what we haven’t earned. Audit window opens once ISO 27001 lands.
HIPAA BAA
Will be available alongside the Healthcare addon launch (Q1 2027) and NPHIES certification.