Security & Compliance

Last Updated: 26 February 2026

Karsaaz EBS builds and operates digital products and technology services with a structured focus on security, privacy, and operational governance. This page provides a centralized overview of how security and compliance are managed across the Karsaaz EBS group and its product ecosystem.

This information is provided to support transparency for customers, partners, and auditors. For legally binding terms and detailed disclosures, please review the following documents:

• Privacy Policy
• Terms of Service
• Cookie Policy
• Subprocessors
• AI Use & Liability Disclaimer
• Legal Notice / Imprint

1) Compliance Approach

Karsaaz EBS follows an enterprise aligned approach to security and compliance that is designed to scale across products, regions, and customer requirements.

Our approach is based on the following principles:

• Security by design: Security considerations are integrated throughout system design, development, testing, and release processes.
• Privacy by design: Data protection safeguards are applied based on purpose, necessity, and risk.
• Least privilege: Access is restricted to individuals and systems that require it to perform defined responsibilities.
• Accountability: Ownership is defined for security, privacy, access control, and incident management activities.

Important Note: Security and compliance controls may vary by product, region, customer configuration, and contractual scope. Controls are applied in proportion to the nature of the service and the associated risks.

2) Group Structure & Roles (Who Does What)

Karsaaz EBS operates as a global technology group with multiple entities supporting legal governance, engineering delivery, and regional operations. Responsibilities are structured to support auditability, continuity, and regulatory accountability.

Karsaaz EBS Ltd (United Kingdom)

• Where identified in the relevant product Privacy Policy, Karsaaz EBS Ltd acts as Data Controller
• Where applicable, serves as the Data Controller for group-managed products and digital services (see individual product Privacy Policies for controller identification).
• Where applicable, oversees UK regulatory alignment, including maintaining ICO registration where required and managing brand/trademark governance.

Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT, United Kingdom

ICO registration reference: ZB891350 (registered under Karsaaz EBS Ltd, United Kingdom)

Karsaaz Entire Business Solution (Pvt.) Ltd (Pakistan)

• Functions as the group’s Engineering & Delivery Center, responsible for building and maintaining software platforms, AI systems, and delivery frameworks.
• Acts as a Data Processor under applicable data protection frameworks when processing data on behalf of the UK entity or customers.
• Maintains ISO-certified management systems within the certified scope applicable to the entity.

ISO Certifications (within defined scope):

• ISO/IEC 27001 – Information Security Management System
• ISO 9001 – Quality Management System
• ISO/IEC 20000-1 – IT Service Management System

Certification details:

ISO/IEC 27001:2022 – Information Security Management Systems

• Certification body: GCERTI
• Certificate number: GKPK-0259-IC
• Scope: Design, development, deployment, and maintenance of SaaS-based software products, AI-integrated applications, and custom digital solutions for global clients.
• Validity: 22 July 2025 – 21 July 2028

ISO/IEC 20000-1:2018 – IT Service Management Systems

• Certification body: GCERTI
• Certificate number: GKPK-0259-IT
• Scope: Design, development, deployment, and maintenance of SaaS-based software products, AI-integrated applications, and custom digital solutions for global clients.
• Validity: 12 November 2025 – 11 November 2028

ISO 9001:2015 – Quality Management Systems

• Certification body: GCERTI
• Certificate number: GKPK-0259-QC
• Scope: Design, development, deployment, and maintenance of SaaS-based software products, AI-integrated applications, and custom digital solutions for global clients.
• Validity: 11 August 2025 – 10 August 2028

Scope note: ISO certifications apply only to the certified entity and the specific scope stated on each certificate.

Intra-group data transfers:

Where data is accessed by the Pakistan entity on behalf of the UK entity, transfers are governed by appropriate contractual safeguards, including Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA), together with technical and organizational controls.

Karsaaz EBS Technology Solutions FZCO (United Arab Emirates)

• Supports regional operations, partnerships, and commercial activities.
• Where applicable, facilitates payment processing arrangements and merchant onboarding based on product, region, and contractual structure.

Unless otherwise specified in a product-specific notice, the UAE entity does not act as Data Controller for personal data collected through this website.

Transparency note: Payment processing may be facilitated by the group’s UAE entity depending on product and customer location. Payment data is processed by payment service providers under their own security and compliance standards.

3) Security Controls

Karsaaz EBS applies a layered security model across its products and internal systems. Controls may vary by service but typically include the following measures.

Identity & Access Management

• Role-based access controls aligned with least-privilege principles
• Multi-factor authentication for administrative and sensitive systems
• Managed joiner–mover–leaver access lifecycle processes

Data Protection

• Encryption in transit and protective controls for stored data
• Secure configuration standards and system monitoring
• Logical separation between production and non-production environments where appropriate

Data Residency & Hosting

Digital products are hosted on established cloud infrastructure providers.
Hosting regions are determined by product architecture, customer configuration, and contractual arrangements. Default hosting regions may include the United Kingdom, European Union, or United Arab Emirates, depending on product configuration and contractual structure.

Operational Security

• Centralized ownership of critical systems and operational tooling
• Logging and monitoring of security and operational events
• Defined incident response procedures for assessment, containment, and remediation

Vulnerability Management

• Regular internal security reviews
• Periodic third-party security testing for core platforms where appropriate

4) Vendor & Subprocessor Management

Karsaaz EBS uses third-party service providers to support infrastructure, analytics, communications, customer support, and operational tooling.

All subprocessors are assessed based on security, privacy, and operational risk. A maintained Subprocessors List is published separately and updated as changes occur.

Specific subprocessor identities may be provided in product-specific documentation or contractual agreements where required.

5) Privacy & Data Protection

We aim to collect and process only the data necessary to deliver and improve our services, meet security requirements, and comply with legal obligations.

Key privacy principles include:

• Purpose limitation: Data is used only for defined and legitimate purposes
• Data minimization: Collection is limited to what is necessary
• Access control: Data access is restricted to authorized personnel and systems
• Retention controls: Data is retained only as long as required for its purpose and applicable legal requirements

For full details on data categories, lawful bases, retention periods, user rights, and international transfers, please refer to the Privacy Policy.

6) AI & Automated Processing

Certain Karsaaz EBS products use artificial intelligence and automation to support user productivity, such as summarization, transcription, language processing, and assistant-based features.

AI features are designed as human-in-the-loop tools intended to assist users rather than act as sole decision-makers. Karsaaz EBS does not deploy AI systems to make automated decisions that produce legal or similarly significant effects on individuals without human involvement.

AI systems are intended to assist users and are not deployed as sole decision-making systems for legally significant outcomes.

AI-generated outputs may be probabilistic and may contain inaccuracies. Users are responsible for reviewing outputs before relying on them for high-stakes or critical decisions.

Client production data is not used to train foundation models without explicit consent or appropriate anonymization.

Product-specific AI limitations and responsibilities are detailed in the AI Use & Liability Disclaimer and relevant product documentation.

7) Payments, Billing & Financial Controls

When payment functionality is enabled:

• Transactions are processed by recognized payment service providers (e.g., Stripe)
• We do not store full payment card details unless explicitly stated; sensitive payment data is typically handled by payment providers under their own compliance frameworks.
• Financial access follows controlled approval and segregation-of-duties principles, where applicable.

Billing and payment records may be retained as required for accounting, tax, and regulatory obligations.

8) International Operations & Data Transfers

As a global organization operating across the UK, UAE, Pakistan, and other customer locations, cross-border data processing may occur.

Where international transfers take place:

• Appropriate safeguards are applied, including contractual and organizational measures.
• Transfer mechanisms may include EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).
• Transfer Impact Assessments (TIAs) are conducted where required.

Details regarding transfer mechanisms are described in the Privacy Policy.

9) Reporting Security Concerns

We encourage responsible disclosure of security issues.

• Security contact: security@karsaaz.com
• Privacy contact: privacy@karsaaz.com
• General support: support@karsaaz.com

Please avoid including sensitive personal data unless necessary to describe the issue.

10) Privacy Contact

Privacy contact: privacy@karsaaz.com

Privacy related inquiries are handled through the designated Privacy Contact.

11) Transparency & Updates

This page may be updated to reflect changes in security controls, compliance posture, subprocessors, legal requirements, or product architecture. Material updates will be reflected by revising the “Last updated” date above.

Disclaimer

This page is provided for informational purposes to demonstrate transparency and accountability. It does not constitute a legal warranty and does not modify or replace the terms of any Master Service Agreement (MSA), Data Processing Agreement (DPA), or other contractual documents between Karsaaz EBS and its customers.