Built for buyers who cannot afford to guess.
Steinn Labs is a DIFC-incorporated company (Steinn AI Labs Limited, SR-808691) built for regulated-industry AI work. Our security and data-handling approach is centred on self-hosted deployment, UAE data residency, and auditability. This page details our incorporation status, security posture, and data-handling practices.
A verifiable, DIFC-registered entity.
DIFC is a common-law financial free zone in Dubai with its own courts, data protection regime (DIFC Data Protection Law No. 5 of 2020), and registrar. Contracting with a DIFC entity gives regulated buyers a familiar accountability structure and a clearer path for cross-border data agreements than a UAE mainland vendor.
Licence can be independently verified at difc.ae/operating/document-verification using code SR-808691. Steinn Labs is not currently authorised by the Dubai Financial Services Authority (DFSA) and does not provide regulated financial services.
Self-hosted first. Client data stays with the client.
Self-hosted deployment is the default
Our products and custom systems are designed to run inside the client's own cloud account or on-premise environment. In a self-hosted deployment, client data does not traverse Steinn Labs infrastructure and no third-party model provider is called unless the client explicitly configures one.
When we host, we host in-region
For managed or hosted engagements we default to UAE-region infrastructure on tier-one cloud providers, with region pinning and no cross-region replication unless a client requests it in writing.
What Steinn Labs retains
During delivery we retain only the working data required to build, test, and support the system. At the end of an engagement we return or delete client data on request. We do not keep shadow copies for internal use.
Model training on client data
No. We do not train, fine-tune, or evaluate any model on client data unless the client explicitly commissions that work under a separate agreement. Client data is never routed to a third-party model provider's training pipeline.
Verifiable practices, not policy theatre.
Vulnerability assessment & penetration testing
Production surfaces are put through VAPT before public release and on a recurring cadence, covering application, API, and authentication layers. A summary letter is available under NDA. We do not publish exploit-level detail.
Web application hardening
Our web properties enforce a strict Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Cookies are consent-gated in line with DIFC DP Law. This is verifiable in-browser today, not a future roadmap item.
Access control
Access to client systems is scoped to named engineers on the engagement, granted just-in-time, and revoked at handover. Production access requires SSO and hardware-key-backed MFA. Credentials are stored in an audited secrets manager, never in code or chat.
Incident response
We maintain a written incident response process covering detection, containment, client notification, and post-incident review. Notification timelines and contact protocols can be pinned in the DPA or MSA to match your regulatory obligations.
We build to the standard your regulator requires.
We do not claim blanket certifications we do not hold. What follows is a list of frameworks our production work has actually engaged with, and where that engagement came from.
DIFC Data Protection Law No. 5 of 2020
Our own processing (marketing, cookies, contact intake) is built to DIFC DP Law standards. Consent, data subject rights, and cross-border transfer controls are implemented, not just documented.
DFSA Regulation 10
Magpie was designed against DFSA Regulation 10 for AI systems used by DFSA-authorised firms, including inventory, risk classification, human oversight, and logging obligations.
HIPAA & FDA Clinical Decision Support
Through the Brite engagement we have built AI systems scoped as decision support with human sign-off, with data handling aligned to HIPAA administrative, technical, and physical safeguards and to FDA CDS classification boundaries.
CBUAE, DHA, DOH, MOHAP, ADGM-FSRA
We work across these regimes on client engagements. Architectural choices are made to match the specific regulator in scope, not a generic checklist.
A short list, disclosed on request.
For self-hosted deployments there are no Steinn Labs sub-processors in the client data flow. For managed engagements we use a small, deliberately narrow set of infrastructure and model providers. The specific sub-processor list for your engagement, along with the data categories each one processes, is shared as part of the DPA package.
Infrastructure
Tier-one cloud providers with UAE-region availability. Region pinning enforced. No cross-region replication without written client instruction.
AI model providers
Only when the client opts in. Enterprise/private endpoints with zero-retention and no-training terms preferred. Self-hosted open models available as an alternative.
Operational tooling
Source control, secrets management, and observability run on enterprise-tier vendors with SSO and audit logging. Client data is not stored in these systems.
Corporate systems
Email, contracts, and CRM are separate from delivery infrastructure and do not contain client production data.
Deletion, access, and export are supported requests.
Clients and their end-users can request access, correction, export, or deletion of personal data we process on their behalf. For direct requests concerning Steinn Labs marketing and contact data, email privacy@steinnlabs.ae. For data processed inside a client deployment, requests should be routed through the client, who remains the data controller. We support these requests as a processor and respond within timelines set by DIFC DP Law or the engagement's DPA, whichever is stricter.
The documentation your compliance team needs, on request.
We can provide the following to prospective and active clients under NDA:
- Security overview and control summary
- VAPT executive summary letter
- Data Processing Agreement (DPA) template
- Sub-processor list scoped to your engagement
- Architecture and data-flow diagrams for your deployment
- Responses to vendor security questionnaires (SIG, CAIQ, custom formats)
We do not publish these documents publicly. Send a request and we will route it to the founders.
The questions procurement actually asks.
Is Steinn Labs DIFC-regulated?+
Steinn AI Labs Limited is a private company incorporated in the Dubai International Financial Centre (DIFC), commercial licence CL13762, DIFC registration SR-808691. DIFC is a common-law financial free zone with its own courts and data protection law. We are not currently a DFSA-authorised financial services firm, and we do not offer regulated financial services. We build software for firms that are.
Does Steinn Labs store or train on client data?+
No. We do not train, fine-tune, or evaluate any model on client data unless a client explicitly commissions that work under a separate agreement. During an engagement we only retain the minimum working data required to deliver the project, and we return or delete it on request at the end of the contract.
Can Steinn Labs products be self-hosted?+
Yes. Magpie, Steinn.ai, and custom systems we build are designed to run inside the client's own cloud account or on-premise environment. Inference can be routed to a self-hosted model, a private endpoint of a commercial provider, or a client-approved gateway. Third-party model calls are opt-in and never a default.
Has Steinn Labs undergone security testing?+
Yes. Our production surfaces go through vulnerability assessment and penetration testing before public release and on a recurring cadence. We can share a summary letter under NDA on request. We do not publish exploit-level detail.
Can Steinn Labs sign a Data Processing Agreement (DPA)?+
Yes. We maintain a DPA template aligned with DIFC Data Protection Law No. 5 of 2020 and can accommodate a client's own paper where required. Contact us and we will route the request to the founders.
Where is client data stored?+
For self-hosted deployments, client data stays in the client's own infrastructure and never touches Steinn Labs systems. For managed or hosted engagements we default to UAE-region infrastructure on tier-one cloud providers, with region pinning and no cross-region replication unless a client requests it in writing.
Have a specific security or compliance question?
Skip the sales funnel. Send it directly and one of the founders will respond, usually the same working day. Questionnaires, DPA reviews, and architecture questions are all in scope.

