Vendor due-diligence pack
The Vendor Security Pack. Same day, under NDA.
SOC 2 Type II, ISO/IEC 27001:2022, ISO 42001, a CREST-tested penetration summary, a UAE PDPL and GDPR-aligned DPA, and the live sub-processor register — assembled for your TPRM workflow. Median customer due-diligence: nine working days.
Last SOC 2 Type II
14 Mar 2026
Last ISO 27001 surveillance
08 Feb 2026
Last penetration test
04 Mar 2026
Open critical / high
0 / 0
Certifications mosaic
Crests rendered as monochrome marks. Licensee numbers and certificate PDFs are inside the Vendor Security Pack.
9 days
Median TPRM cycle to approval across last 22 engagements
0 / 0
Open critical / high findings — March 2026 pen test
11
Sub-processors, country-of-processing transparent
24 hrs
Customer notification SLA on confirmed incident
Inside the pack
Every artefact your TPRM analyst would otherwise chase across five emails.
A single zipped bundle, NDA-gated, with file sizes, last-updated dates, and gating notes against each document so procurement can route them to the right reviewer.
The headline file
SOC 2 Type II — 12 months ending 31 Dec 2025
Signed 14 March 2026 by a Big-4 affiliated CPA firm covering Security, Availability, Confidentiality, and Processing Integrity. Bridge letter included to today.
PDF, 8.4 MB — NDA-gated
Penetration test
Executive summary — pre-NDA
Full report under NDA. CREST-accredited tester. 0 open critical / high.
ISO 27001 + SOA
93 controls mapped, latest BSI surveillance letter included
PDF, 2.1 MB — NDA-gated
ISO 42001:2023
AI management system policy and scope statement
PDF, 1.4 MB — pre-NDA
DPA template
UAE PDPL + GDPR + DIFC DP Law aligned, EU SCCs 2021/914 pre-filled
DOCX, 380 KB — pre-NDA
Sub-processor register
11 sub-processors, country of processing, contractual safeguard
PDF, 240 KB — pre-NDA
CAIQ v4
Pre-filled Cloud Security Alliance questionnaire
XLSX, 410 KB — pre-NDA
BCP / DR summary
RTO 4h, RPO 15m, last DR test Q4 2025
PDF, 1.1 MB — NDA-gated
Incident response policy
Runbook summary, escalation tree, 24-hour customer notification
PDF, 720 KB — NDA-gated
Certifications & attestations
Twelve current marks, each with its last-audit date and next surveillance window.
Every entry below carries the licensee number on the certificate PDF inside the Vendor Security Pack. The scope, the issuing body, and the renewal cycle are documented so your TPRM analyst can verify with the registrar directly.
| Certification / attestation | Issuing body | Last audit | Next due | Status |
|---|---|---|---|---|
| SOC 2 Type II | Big-4 affiliated CPA firm | 14 March 2026 | March 2027 | Current |
| ISO/IEC 27001:2022 | BSI | 08 February 2026 | February 2027 | Current |
| ISO/IEC 27701:2019 | BSI | 08 February 2026 | February 2027 | Current |
| ISO/IEC 42001:2023 | BSI | 21 January 2026 | January 2027 | Current |
| Cyber Essentials Plus | IASME | 02 December 2025 | December 2026 | Current |
| PCI-DSS v4.0 AoC | QSA — Coalfire | 11 November 2025 | November 2026 | Current |
| CSA STAR Level 2 | Cloud Security Alliance | 17 October 2025 | October 2026 | Current |
| AWS Security Competency | AWS | 03 September 2025 | September 2026 | Current |
| Microsoft Solutions Partner — Security | Microsoft | 12 January 2026 | January 2027 | Current |
| G42 Cloud Certified Partner | G42 | 28 February 2026 | February 2027 | Current |
| NVIDIA Inception (security-reviewed) | NVIDIA | 04 March 2026 | March 2027 | Current |
| TDRA Information Assurance attestation | TDRA — UAE | 19 November 2025 | November 2026 | Current |
Framework cross-walk
One control set, mapped to the frameworks your risk function already speaks.
Each row pins a control function to its corresponding identifier in NIST CSF 2.0, ISO/IEC 27002:2022, NESA UAE IA, SAMA Cyber Security Framework, and ISO/IEC 42001. The full cross-walk Excel is in the Vendor Security Pack.
| Capability | Brocode posture | NIST CSF 2.0 | ISO 27002:2022 | NESA UAE IA | SAMA CSF | ISO 42001 / SCF |
|---|---|---|---|---|---|---|
| Identify — asset and risk inventory | Continuous, registered | ID.AM, ID.RA | A.5.9, A.5.12 | T1.1, T1.2 | CSF 1.1.1 | IS-1, IS-2 |
| Protect — access control + crypto | Customer-managed keys default | PR.AC, PR.DS | A.5.15, A.8.24 | T3.1, T3.4 | CSF 2.2.1 | IS-12, IS-15 |
| Detect — continuous monitoring | 24/7 SOC + SIEM | DE.AE, DE.CM | A.8.15, A.8.16 | T6.2, T6.3 | CSF 3.1.4 | IS-26 |
| Respond — incident handling | 1-hour ack SLA | RS.RP, RS.AN | A.5.24, A.5.26 | T9.1, T9.2 | CSF 4.1.1 | IS-30 |
| Recover — BCP / DR | RTO 4h, RPO 15m | RC.RP, RC.IM | A.5.29, A.5.30 | T10.1 | CSF 5.1.2 | IS-34 |
| AI management system | ISO 42001:2023 | CSF 2.0 — AI profile | A.5.36 (Annex SL) | New | New | Aligned via mapping |
| Personal data protection | PDPL + GDPR aligned | ID.GV, PR.IP | A.5.34 | T2.3 | CSF 1.4.2 | IS-9 |
Encryption & key management
Customer-managed keys are the default, not the premium tier.
Cryptographic posture aligned to ISO/IEC 27002:2022 control 8.24. Every key, every algorithm, every rotation cadence is in the cryptographic inventory inside the Vendor Security Pack.
BYOK on hyperscalers
AWS KMS (FIPS 140-2 L2 envelope), Azure Key Vault HSM (L3), Google Cloud KMS where requested. Keys originate from your tenancy; Brocode operates on grants. Quarterly rotation default; manual rotation on demand.
HYOK on UAE sovereign
Thales Luna Network HSM 7 (FIPS 140-2 L3) in the customer DC, or Khazna-hosted HSM cluster. Keys never leave the HSM boundary; envelope keys are wrapped under the customer KEK on every workload.
Algorithms and TLS
AES-256-GCM at rest, ChaCha20-Poly1305 for legacy clients, TLS 1.3 in transit (TLS 1.2 only where the customer estate mandates). RSA-2048 deprecated; ECDSA P-384 and Ed25519 for new keys. Post-quantum hybrid (X25519 + Kyber) under pilot.
Sub-processor register
Eleven sub-processors. Country of processing. Purpose. Contractual safeguard.
Reviewed monthly. Changes notified to customers 30 days in advance, with an objection window. Last full review: 02 May 2026.
| Sub-processor | Country of processing | Purpose | Safeguard |
|---|---|---|---|
| Amazon Web Services EMEA SARL | UAE — me-central-1 (Dubai) | Sovereign hosting and storage | DPA + SCCs (back-up) |
| Microsoft Ireland Operations Ltd | UAE — UAE North | Identity (Entra ID) and Microsoft 365 | DPA + SCCs (back-up) |
| G42 Cloud | UAE — Khazna | Sovereign compute and GPU | UAE DPA + KSA appendix |
| NVIDIA Cloud Functions | EU — Frankfurt | GPU inference for non-restricted workloads | SCCs 2021/914 M2 |
| Snowflake Inc. | UAE — me-central-1 | Analytics warehouse (anonymised telemetry only) | DPA + customer-managed keys |
| HubSpot Inc. | EU — Frankfurt | Marketing CRM (non-customer contact data) | SCCs 2021/914 M2 |
| Atlassian Pty Ltd | EU — Frankfurt | Ticketing and source control | SCCs 2021/914 M2 |
| Cloudflare Inc. | Global edge | CDN, WAF, DDoS mitigation | SCCs + cache scope limit |
| Auth0 by Okta | EU — Frankfurt | Authentication for managed-service customers | SCCs + EU isolation |
| Sentry | EU — Frankfurt | Error telemetry (scrubbed) | SCCs + PII scrubbing |
| Datadog | EU — Frankfurt | Infra observability (no customer data) | SCCs + scope limit |
For per-engagement variations (e.g. a customer-specific deployment that uses none of the marketing or analytics processors), the engagement-level DPA Annex II lists the operative sub-processors only. See the privacy policy for the DPO contact and the data-subject rights process.
Incident response posture
One-hour acknowledgement. Twenty-four-hour customer notification.
The runbook, the escalation tree, and the named on-call contact for the first 90 days of every engagement are inside the Vendor Security Pack. Below is the headline timeline a TPRM analyst can pin to the wall.
T+0
Detection
SIEM correlation, EDR alert, or customer report. Auto-page to on-call.
T+1 hour
Acknowledgement
Named engineer accepts page. Incident ticket opened. Severity classified.
T+24 hours
Customer notification
On confirmed personal data incident — customer notified, ahead of PDPL Art. 9 / GDPR Art. 33 regulator window.
T+72 hours
Regulator + post-mortem
PDPL / supervisory authority notified where required. 14-day post-mortem with named owner per action.
How we compare
Big-4 InfoSec packs, hyperscaler MSPs, offshore AI vendors, and boutiques — the honest read.
The four alternatives a UAE CISO weighs when a TPRM workflow lands. Where Brocode is not the right fit (e.g. visitor needs only a hyperscaler attestation), we will tell you on the first call.
| Capability | Brocode | Big-4 consultancies | Hyperscaler MSP / reseller | Offshore AI vendor | Boutique AI consultancy |
|---|---|---|---|---|---|
| Time from NDA to Vendor Security Pack | Same day | 3–6 weeks (legal routing) | Hyperscaler page only | "On request" — undefined | No pack — marketing slides |
| SOC 2 Type II in own name | Yes — Big-4 affiliated CPA | Yes — but partner-pool scoped | Underlying hyperscaler only | ||
| ISO 42001 AI management system | Certified Jan 2026 | In preparation | |||
| UAE PDPL + TDRA + NESA evidence | Article-mapped | Regional adaptation | Generic data residency only | ||
| Customer-managed keys on UAE sovereign | BYOK / HYOK default | Premium tier only | Hyperscaler-defined | No formal posture | |
| Sub-processor register with country of processing | 11 listed, monthly review | Aggregated regional pool | Hyperscaler list — not vendor | Not published | |
| Named security contact (photo + booking link) | Head of InfoSec, direct | Regional partner pool | Generic shared mailbox | Generic shared mailbox | No public contact |
| Open critical / high findings | 0 / 0 (last pen test Mar 2026) | Not disclosed | Not applicable | Not disclosed | Not disclosed |
Free download
Brocode Vendor Security Pack (NDA-gated)
A single zipped bundle (≈45 MB) containing SOC 2 Type II full report, ISO 27001 certificate + SOA, penetration test executive summary, DPA template, sub-processor register, BCP / DR summary, incident response policy, ISO 42001 policy, and a pre-filled CAIQ v4.
- SOC 2 Type II — Big-4 affiliated CPA firm, signed 14 March 2026
- ISO/IEC 27001:2022 certificate, SOA (93 controls) and BSI surveillance letter
- CREST-accredited penetration test — full report (executive summary pre-NDA)
- DPA template — UAE PDPL + GDPR + DIFC DP Law aligned, SCCs pre-filled
- Sub-processor register — 11 entries, country of processing, safeguards
- CAIQ v4 — pre-filled Cloud Security Alliance Consensus Assessment
- ISO 42001:2023 AI management system policy and scope
- BCP / DR summary — RTO 4h, RPO 15m, last DR test Q4 2025
- NDA gating: submit your standard NDA or use ours; we countersign within 24 working hours.
From real TPRM workflows
Frequently asked by CISOs.
Twelve questions distilled from the OneTrust, CyberGRX, and ServiceNow VRM workflows we have answered in the last 24 months. Where an answer needs an artefact, the artefact lives in the Vendor Security Pack.
Book the 60-minute reviewYes. Our SOC 2 Type II audit was signed on 14 March 2026 by a Big-4 affiliated CPA firm and covers the trust services criteria Security, Availability, Confidentiality, and Processing Integrity for the 12 months ending 31 December 2025. The full report is available under NDA in the Vendor Security Pack. A bridge letter from the auditor covering the period between the audit close and today is also included.
60-minute security review
Sit our Head of InfoSec next to your TPRM analyst.
We walk the Vendor Security Pack, take questions on the residual-risk register, and agree the artefacts your committee will see. We reply within one business day.
Direct WhatsApp: +971 50 761 2213
Security email: security@brocode.ae
HQ: Al Maryah Island, ADGM, Abu Dhabi
Continue exploring
Related capabilities and stories
Privacy Policy
DPO contact, data-subject rights, transfer mechanisms.
Read moreSelf-Hosted LLM Infrastructure
Sovereign deployment on UAE-resident GPU estates.
Read moreMLOps & AI Infrastructure
Model governance, drift monitoring, audit logging.
Read moreBanking & Financial Services
SAMA / CBUAE-aligned references for regulated banks.
Read moreGovernment & Public Sector
TDRA / NESA references for federal entity CISOs.
Read more