Meet us atGITEX Global 2026
Trust, Security & Compliance

Built for buyers who cannot afford to guess.

Steinn Labs is a DIFC-incorporated company (Steinn AI Labs Limited, SR-808691) built for regulated-industry AI work. Our security and data-handling approach is centred on self-hosted deployment, UAE data residency, and auditability. This page details our incorporation status, security posture, and data-handling practices.

01Legal & regulatory standing

A verifiable, DIFC-registered entity.

DIFC is a common-law financial free zone in Dubai with its own courts, data protection regime (DIFC Data Protection Law No. 5 of 2020), and registrar. Contracting with a DIFC entity gives regulated buyers a familiar accountability structure and a clearer path for cross-border data agreements than a UAE mainland vendor.

Legal entity
Steinn AI Labs Limited
Legal form
Private Company
Jurisdiction
Dubai International Financial Centre (DIFC)
Commercial licence
CL13762
DIFC registration (SR)
SR-808691
Licence issue date
01 July 2026
Licence expiry
30 June 2027
Registered address
IH-00-01-03-OF-05, Level 3, Innovation One, DIFC, Dubai, UAE
Licensed activities
Computer Systems and Software Designing · Information Technology Consultants · Innovation & Artificial Intelligence Research & Consultancies
Authorised signatories
Abhishek Prashant Muley · Jeet Sanjay Patel

Licence can be independently verified at difc.ae/operating/document-verification using code SR-808691. Steinn Labs is not currently authorised by the Dubai Financial Services Authority (DFSA) and does not provide regulated financial services.

02Data residency & hosting

Self-hosted first. Client data stays with the client.

Self-hosted deployment is the default

Our products and custom systems are designed to run inside the client's own cloud account or on-premise environment. In a self-hosted deployment, client data does not traverse Steinn Labs infrastructure and no third-party model provider is called unless the client explicitly configures one.

When we host, we host in-region

For managed or hosted engagements we default to UAE-region infrastructure on tier-one cloud providers, with region pinning and no cross-region replication unless a client requests it in writing.

What Steinn Labs retains

During delivery we retain only the working data required to build, test, and support the system. At the end of an engagement we return or delete client data on request. We do not keep shadow copies for internal use.

Model training on client data

No. We do not train, fine-tune, or evaluate any model on client data unless the client explicitly commissions that work under a separate agreement. Client data is never routed to a third-party model provider's training pipeline.

03Security posture

Verifiable practices, not policy theatre.

Vulnerability assessment & penetration testing

Production surfaces are put through VAPT before public release and on a recurring cadence, covering application, API, and authentication layers. A summary letter is available under NDA. We do not publish exploit-level detail.

Web application hardening

Our web properties enforce a strict Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Cookies are consent-gated in line with DIFC DP Law. This is verifiable in-browser today, not a future roadmap item.

Access control

Access to client systems is scoped to named engineers on the engagement, granted just-in-time, and revoked at handover. Production access requires SSO and hardware-key-backed MFA. Credentials are stored in an audited secrets manager, never in code or chat.

Incident response

We maintain a written incident response process covering detection, containment, client notification, and post-incident review. Notification timelines and contact protocols can be pinned in the DPA or MSA to match your regulatory obligations.

04Compliance frameworks

We build to the standard your regulator requires.

We do not claim blanket certifications we do not hold. What follows is a list of frameworks our production work has actually engaged with, and where that engagement came from.

DIFC Data Protection Law No. 5 of 2020

Our own processing (marketing, cookies, contact intake) is built to DIFC DP Law standards. Consent, data subject rights, and cross-border transfer controls are implemented, not just documented.

DFSA Regulation 10

Magpie was designed against DFSA Regulation 10 for AI systems used by DFSA-authorised firms, including inventory, risk classification, human oversight, and logging obligations.

HIPAA & FDA Clinical Decision Support

Through the Brite engagement we have built AI systems scoped as decision support with human sign-off, with data handling aligned to HIPAA administrative, technical, and physical safeguards and to FDA CDS classification boundaries.

CBUAE, DHA, DOH, MOHAP, ADGM-FSRA

We work across these regimes on client engagements. Architectural choices are made to match the specific regulator in scope, not a generic checklist.

05Sub-processors & third parties

A short list, disclosed on request.

For self-hosted deployments there are no Steinn Labs sub-processors in the client data flow. For managed engagements we use a small, deliberately narrow set of infrastructure and model providers. The specific sub-processor list for your engagement, along with the data categories each one processes, is shared as part of the DPA package.

Infrastructure

Tier-one cloud providers with UAE-region availability. Region pinning enforced. No cross-region replication without written client instruction.

AI model providers

Only when the client opts in. Enterprise/private endpoints with zero-retention and no-training terms preferred. Self-hosted open models available as an alternative.

Operational tooling

Source control, secrets management, and observability run on enterprise-tier vendors with SSO and audit logging. Client data is not stored in these systems.

Corporate systems

Email, contracts, and CRM are separate from delivery infrastructure and do not contain client production data.

06Data subject & client rights

Deletion, access, and export are supported requests.

Clients and their end-users can request access, correction, export, or deletion of personal data we process on their behalf. For direct requests concerning Steinn Labs marketing and contact data, email privacy@steinnlabs.ae. For data processed inside a client deployment, requests should be routed through the client, who remains the data controller. We support these requests as a processor and respond within timelines set by DIFC DP Law or the engagement's DPA, whichever is stricter.

07Audit & documentation

The documentation your compliance team needs, on request.

We can provide the following to prospective and active clients under NDA:

  • Security overview and control summary
  • VAPT executive summary letter
  • Data Processing Agreement (DPA) template
  • Sub-processor list scoped to your engagement
  • Architecture and data-flow diagrams for your deployment
  • Responses to vendor security questionnaires (SIG, CAIQ, custom formats)

We do not publish these documents publicly. Send a request and we will route it to the founders.

08Frequently asked

The questions procurement actually asks.

Is Steinn Labs DIFC-regulated?+

Steinn AI Labs Limited is a private company incorporated in the Dubai International Financial Centre (DIFC), commercial licence CL13762, DIFC registration SR-808691. DIFC is a common-law financial free zone with its own courts and data protection law. We are not currently a DFSA-authorised financial services firm, and we do not offer regulated financial services. We build software for firms that are.

Does Steinn Labs store or train on client data?+

No. We do not train, fine-tune, or evaluate any model on client data unless a client explicitly commissions that work under a separate agreement. During an engagement we only retain the minimum working data required to deliver the project, and we return or delete it on request at the end of the contract.

Can Steinn Labs products be self-hosted?+

Yes. Magpie, Steinn.ai, and custom systems we build are designed to run inside the client's own cloud account or on-premise environment. Inference can be routed to a self-hosted model, a private endpoint of a commercial provider, or a client-approved gateway. Third-party model calls are opt-in and never a default.

Has Steinn Labs undergone security testing?+

Yes. Our production surfaces go through vulnerability assessment and penetration testing before public release and on a recurring cadence. We can share a summary letter under NDA on request. We do not publish exploit-level detail.

Can Steinn Labs sign a Data Processing Agreement (DPA)?+

Yes. We maintain a DPA template aligned with DIFC Data Protection Law No. 5 of 2020 and can accommodate a client's own paper where required. Contact us and we will route the request to the founders.

Where is client data stored?+

For self-hosted deployments, client data stays in the client's own infrastructure and never touches Steinn Labs systems. For managed or hosted engagements we default to UAE-region infrastructure on tier-one cloud providers, with region pinning and no cross-region replication unless a client requests it in writing.

09Direct line

Have a specific security or compliance question?

Skip the sales funnel. Send it directly and one of the founders will respond, usually the same working day. Questionnaires, DPA reviews, and architecture questions are all in scope.