Data Security & Confidentiality

How Arkan protects sensitive legal, financial, and medical information - across every interpretation assignment and every document we translate.

Last updated: 2026-05-18 · For enterprise procurement review

This page documents the operational controls Arkan applies to client documents at every stage from intake to destruction. It is intended for legal, financial, healthcare, and corporate procurement reviewers conducting vendor due diligence. Where a control is contract-tier (available only on signed enterprise engagement), this is stated explicitly.

Document Custody Chain

Every document flows through a defined sequence with access-control boundaries between stages:

  1. Intake - file arrives via the contracted intake channel (see channel tiers below). On arrival, the file is tagged with a project number, hashed for integrity verification, and stored in a project-isolated folder. Files are never co-located with unrelated client work in shared folders.
  2. Operations check - the operations team reviews the source, the receiving authority, language pair, and certification tier. Access at this stage is limited to operations personnel.
  3. Translator assignment - the document is released to the assigned MOJ-licensed translator only after the translator's standing NDA is confirmed valid and the project's named-translator approval (where required) is on file.
  4. QA - a separate reviewer checks the certified translation against the source. QA access is project-scoped.
  5. Certification - the MOJ-licensed translator applies stamp and signature, takes personal legal responsibility for accuracy.
  6. Delivery - delivered through the contracted channel; hard-copy delivery is hand-handled, not left at shared reception areas.
  7. Destruction or extended retention - per the retention schedule (default 30 days post-delivery) or per the client's written instruction.

Intake Channels - Three Tiers

Channel choice depends on the sensitivity of the document and the regulatory context of the matter. The tiers are mapped to suitability rather than to preference.

Tier Channel Suitable For
Tier 1 WhatsApp (E2E) Routine personal documents - birth, marriage, degree, IDs
Tier 2 Encrypted email or scheduled office drop-off Standard corporate translation - contracts, HR documents, registration filings
Tier 3 Operator-agreed secure channel (client's portal, encrypted email, controlled cloud folder, or other mutually approved channel) Enterprise high-sensitivity - litigation evidence, M&A, medical records, IP filings

Tier 3 is configured per engagement. The secure intake channel is agreed with the client before work begins and documented in the SOW; NDA execution precedes any file transfer. For full intake details and the high-sensitivity workflow, see Secure Intake - Enterprise Tier.

Encryption at Rest and in Transit

  • In transit: TLS 1.2 minimum (TLS 1.3 where supported) for all uploads, downloads, and API traffic. HSTS enforced on the production domain.
  • At rest: AES-256 server-side encryption on the cloud-storage provider's hardened infrastructure. Project folders are access-controlled and audit-logged.
  • Workstations: full-disk encryption on every device that handles client documents.
  • Ephemeral processing: documents are not cached on intermediate proxies; CDN caching is disabled for authenticated routes.

Access Controls

Role-based access with a need-to-know boundary at every stage:

  • Operations and admin staff: project metadata and intake artifacts only, not certified output.
  • Assigned translator: source document and translation working file for the assigned project only. No standing read access to other projects.
  • QA: project-scoped read access to source + draft translation only.
  • Certified-output release: gated to the licensed translator who signs the certification.
  • Audit log retained per project. Access logs available on enterprise contract for chain-of-evidence review.

Subcontractor Vetting (Non-Arabic/English Pairs)

Arkan's MOJ License #701 covers Arabic ↔ English. For other language pairs, work is routed to contracted MOJ-licensed translators (each holding their own MOJ license) or - where no UAE MOJ translator exists for the pair - issued under Arkan company certification (DUL #CJ9803). Every contracted translator passes the following gate before any file release:

  • Identity verification (Emirates ID where applicable + MOJ license lookup with the Ministry).
  • Standing NDA executed with Arkan of scope equivalent to in-house staff.
  • Sample-test pass for the relevant subject matter (legal, medical, technical, etc.).
  • Re-vetting annually; on lapse of MOJ license, immediate de-listing.
  • For special-category cases (active litigation, medical records, M&A diligence, IP filings): named-translator approval on file, with the translator disclosed to the enterprise client under NDA before assignment.

The chain of confidentiality does not break at the subcontractor boundary. The NDA each contracted translator signs binds them to the same obligations Arkan owes the client.

Document Destruction Policy

  • Default retention: 30 days post-delivery for project working files (source + translation drafts).
  • Extended retention: on written client request, configurable per project (e.g., 90 days, 1 year, contract term).
  • Method: cryptographic erasure where the storage layer supports it; secure overwrite otherwise; cross-cut shred for any paper artifacts.
  • Certificate of destruction: available on enterprise contract; issued within 5 business days of destruction event.
  • MOJ ledger retention exception: MOJ-licensed translators have a regulatory duty to retain a copy of certified translations for the period prescribed by the Ministry. These copies are held in a sealed, access-restricted archive separate from active project storage and are not used for any purpose other than MOJ verification on request.

Incident Response

In the event of a confirmed personal-data breach, Arkan will:

  • Contain the incident and assess the scope of affected data.
  • Notify the affected data subjects and the UAE Data Office without undue delay, per UAE PDPL Article 9.
  • For enterprise contracts: notify the named contract contact within the SLA window (default 24 hours from confirmation; tighter windows negotiable).
  • Provide a post-incident report covering root cause, remediation, and preventive measures.

Incident-response contact: info@arkanlegaltranslation.ae with subject "Security Incident".

Physical Custody

Both registered offices accept appointment-based hand-offs. Procedure:

  • Appointment booked in advance through info@arkanlegaltranslation.ae or WhatsApp.
  • Photo ID checked on arrival; receipt issued with project number and chain-of-custody timestamp.
  • Documents are not left at shared reception areas; the hand-off is direct to operations personnel.
  • For high-sensitivity originals, a courier with chain-of-custody documentation can be arranged.

Office addresses:

  • The One Tower, Office 1302, 13th Floor, Barsha Heights, Dubai
  • Tower Plaza Hotel, Office 1204B, Floor 12, Sheikh Zayed Road, Dubai

Our registered offices are located in serviced commercial buildings. Client documents are not left in shared reception or common areas. Hard-copy intake is accepted only by an authorized team member, logged where required, and stored separately from public or shared office areas.

Compliance Posture

  • UAE PDPL: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. Arkan operates as a data controller for client engagement data and as a processor where contractually appointed for client-owned data.
  • DIFC Data Protection Law: applied for DIFC-arbitration matters where the client is a DIFC-registered entity.
  • MOJ ledger duty: regulatory retention obligation on MOJ-licensed translators for certified work.
  • AML / CFT KYC: applied for high-value engagements or matters touching sanctioned jurisdictions; screening against UAE Cabinet's targeted financial sanctions list per CBUAE AML/CFT regulations.

Enterprise Mutual NDA

For enterprise engagements, a Mutual NDA precedes any file transfer. See the Mutual NDA Framework for scope, term, and standard clauses.

Reporting a Security Concern

Suspected breach, social-engineering attempt against Arkan staff, or any concern with how a document was handled:

Email: info@arkanlegaltranslation.ae (subject "Security Concern")
WhatsApp: +971 50 709 1633

Related Pages

Enterprise Procurement Mutual NDA Framework Secure Intake Privacy Policy Terms of Service Contact
ARKAN

Search

Popular: Legal Interpretation Medical Interpretation Legal Translation Attestation Arkan Go Document Check Enterprise Procurement Data Security Mutual NDA Framework Why Arkan Contact
Check My Document