Security & compliance

Built for trust. Compliant by default.

You hold Emirates IDs, driving licences, and card details for every renter in Dubai. Carfleet is engineered so that data stays isolated, encrypted, and provably compliant — without you having to think about it.

Defence in depth

Eight controls, enforced at every layer.

Not a policy PDF — these are switched on in the platform, from the database row to the printed contract.

Row-Level Security tenancy

Every query is scoped to your company at the database. One rental firm can never read another firm's deals, customers, or cars.

PII encrypted at rest

Emirates ID numbers, passports, and licence scans are encrypted on disk and in transit with TLS 1.3 — keys rotated, never in logs.

ID & card masking in docs

Printed contracts and PDFs show 784-****-*******-1 and **** 4242 — never the full Emirates ID or card on paper.

PDPL & GDPR consent

Explicit consent capture, data-subject export and erasure, and retention windows aligned to UAE PDPL and EU GDPR.

FTA-correct 5% VAT

Sequential tax invoices carry your TRN and a verified 5% line — rounding and totals reconcile to FTA filing rules in AED.

Full audit log

Who changed a rate, voided a deposit, or exported a customer — every action stamped with user, time, and before/after value.

PCI — no card data local

Cards are tokenised by our Stripe-grade processor. Carfleet stores a token, never a PAN or CVV, keeping you out of PCI scope.

12 role-based levels

From read-only investor to owner, twelve granular roles gate every screen and action — Salik, fines, and payouts included.

How a request is isolated

Tenant isolation, from the edge to the row.

Every request is authenticated, scoped to your company, and only ever touches your own data — enforced by Postgres Row-Level Security, not application code you have to trust.

RequestWhatsApp · web · APIMiddlewareAuth · 2FA · roleRow-Level Securitytenant_id enforcedin PostgresYour fleet · your dealsOther tenants — blockedOther tenants — blockedEvery action written to the immutable audit log

Compliance checklist

What you can tell your regulator, insurer, and investors.

The standards a UAE rental operator actually gets asked about — and how Carfleet answers each one.

  • UAE PDPL — Federal Decree-Law No. 45 of 2021

    Consent, purpose limitation, and data-subject rights enforced in-product.

  • EU GDPR — export & right to erasure

    One-click data export and verified deletion for any customer record.

  • FTA VAT — sequential tax invoices with TRN

    5% VAT, AED rounding, and credit notes matching Federal Tax Authority rules.

  • PCI DSS SAQ-A — tokenised payments

    No cardholder data touches Carfleet servers; processing is fully outsourced.

  • Encryption — AES-256 at rest, TLS 1.3 in transit

    Managed keys with rotation; nightly encrypted, point-in-time backups.

  • Access — RLS isolation + SSO & 2FA

    Per-tenant row security, twelve roles, and enforced two-factor for staff.

Due diligence, sorted

See the controls running on a real fleet.

We'll walk your team through tenant isolation, masked contracts, the audit log, and VAT invoicing — on live data, in Arabic and English.