Our compliance framework. Documented for partners.
Doro Technologies Ltd is registered in the Dubai International Financial Centre under licence CL12687, with data protection registration SR-708142 and registered office at Innovation One, Level 1, Zaa'beel Second, Dubai International Financial Centre, Dubai, UAE.
Software infrastructure. Not a payment provider.
What Doro does
- Provides a closed software platform for verified UAE real estate businesses
- Generates structured payment links anchored to verified property transactions
- Coordinates buyer identity verification, source of funds documentation, and audit trail
- Orchestrates settlement across one or more licensed payment partners, and hands every regulated step on every leg (custody, conversion, and settlement) to those partners
- Maintains a full audit log of every action
What Doro does not do
- Custody, hold, convert, or transmit funds, at any stage or on any leg
- Make the regulated approval decision on a transaction
- Operate as a payment provider, MSB, or VASP
- Hold itself out as a regulated financial institution
- Make compliance decisions that override licensed counterparties
Doro is registered in the DIFC as a software house under licence CL12687. Doro is not a DFSA Authorised Firm and does not perform DFSA-regulated activities.
Two independent layers of control
Doro and the licensed payment partners play different roles in the decision chain. Understanding the asymmetry is important to partners considering integration.
The licensed partners decide regulated activity
Whether a buyer's identity passes KYC, whether a wallet is clear of sanctions exposure, whether source of funds is satisfactory, and whether funds may be released. These are decisions made by licensed parties under their own regulatory authorisations. Where a payment moves through more than one licensed partner, each partner makes its own regulated decision for its own leg. Doro does not make these decisions and does not override them.
Doro decides platform participation
Doro reserves the right to decline to provide its service to any counterparty or transaction, including where a licensed partner would proceed. A payment link created on Doro is not guaranteed to become live or active. If our internal controls surface concerns about the originating business, the documentation, the buyer profile, or any other factor, Doro will decline to issue or maintain the link.
Any layer can stop a transaction. No layer can compel another to proceed. The decline of any single leg by the partner responsible for it prevents the transaction from proceeding.
Doro is never in the flow of funds
Doro does not receive, hold, pool, convert, or transmit a buyer's funds at any point. Settlement runs as a sequence of legs performed by licensed partners, each under its own authorisation.
- The buyer funds the transaction into an account provided by a licensed partner in the buyer's own name. No account used to receive, hold, convert, or transmit funds is owned or controlled by Doro.
- Where a currency or asset conversion is required, it is performed by the responsible licensed partner at that partner's rate and spread. Where settlement spans two partners, for example currency conversion followed by local-market settlement, each partner handles its own leg and passes the proceeds onward.
- The buyer authorises the receipt, conversion, and onward transfer as an express instruction within the payment flow. The destination for each leg is set by the responsible partner and shown to the buyer. The buyer is not asked to specify a destination of their own.
- Every acceptance and instruction is recorded with a timestamp and identifier and forms part of the transaction audit trail.
Three gates before any transaction
Doro is not accessible to the general public. Every transaction passes through three layers of control.
01 / 03 Verified business
- Active UAE trade licence (DED, free zone, or DIFC)
- Registration with the Dubai Land Department
- Beneficial ownership verification (UBOs at or above 25%)
- Sanctions, PEP, and adverse media screening on each UBO and authorised signatory
- Agency bank account holder name verified against trade licence
- UAE PASS authentication for staff
- Active RERA broker registration for licensed agents
02 / 03 Verified transaction
- Sale and Purchase Agreement (SPA) required
- Title deed reference cross-checked against Dubai Land Department records
- Form F (DLD's official sale and purchase agreement) collected and retained
- Property valuation reviewed against transaction amount
- Seller identity matched against registered owner on title deed
- Beneficiary bank account holder name matched against seller of record
- Documents ingested through structured platform flows including verified WhatsApp ingestion
03 / 03 Verified approval
- Agency-level approval workflow before any payment link is issued
- Every approval logged with timestamp and identifier of the approver
- Multi-party commission splits documented with named recipients
- All payment links carry an immutable identifier and audit trail
- Screening continues through to settlement, and across each payment where a transaction settles in stages
Documented, reviewed, accountable
Doro maintains a documented compliance framework covering anti-money laundering, counter-terrorist financing, sanctions, data protection, and operational risk. The framework is implemented through internal policies, supporting procedures, automated controls, and outsourced specialist functions. Our AML and CTF framework is aligned to the current UAE regime, including Federal Decree-Law No. 10 of 2025 and Cabinet Resolution No. 134 of 2025, as amended or replaced from time to time.
AML and CTF policy
Full policy with documented customer due diligence, sanctions screening, and SAR procedures. Reviewed annually and on material change.
Customer due diligence
Buyer identity verification is performed by the licensed partners' regulated verification providers. Doro orchestrates the verification but is not the controller of buyers' identity documents or biometric data. Where a transaction involves more than one licensed partner, or settles in stages, a buyer's verification can be reused across partners and stages, with a liveness confirmation, so the buyer is not verified from scratch each time. Each partner runs its own checks and makes its own regulated decision.
Doro pre-screening
Before a link is issued, Doro conducts sanctions, PEP, and adverse media pre-screening through a specialist provider under a data processing agreement with Doro. This informs Doro's platform participation decision and does not replace the regulated due diligence performed by the licensed partners.
Sanctions screening
UN, OFAC, EU, UK, and UAE local lists. Real-time matching at onboarding, transaction time, and on list updates.
Wallet and transaction screening
Blockchain analytics screening on every wallet, performed by licensed payment partners.
Data protection
DIFC DPL compliance. Active ROPA, DPIA, breach notification, and data subject rights procedures. Doro is the controller for platform data, save for buyers' identity documents and biometric records, for which the relevant licensed partner or its regulated verification provider is the controller.
Audit and record keeping
Immutable audit log on every action. Retention aligned to UAE AML and DIFC commercial law standards.
Controls built for property transactions
Real estate carries distinct AML risks. Documentary fraud, title manipulation, valuation games, and structured payments across multi-party splits. Generic fintech compliance does not cover these. Doro's platform-level controls are calibrated for the realities of UAE property transactions.
- Title deed verification. Every title deed reference is cross-checked against Dubai Land Department records.
- Form F collection.DLD's official sale and purchase agreement is collected and retained on every transaction.
- Property valuation review. Transaction amount cross-checked against property valuation, with material variance triggering enhanced review.
- Identity-to-deed matching. Seller identity verified against the registered owner on the title deed.
- Beneficiary name matching. Bank account holder name matched against seller of record before any settlement instruction is issued.
- Multi-party commission discipline. Each commission split recipient documented and verified before payment.
- Cross-deal pattern analysis.Properties, sellers, buyers, and agents monitored for unusual patterns across the platform's deal history.
- Staged and off-plan payment discipline. Where a purchase settles in stages, such as an off-plan deposit followed by scheduled payments, each stage is treated as part of the same transaction, and screening continues across each stage through to settlement.
Verifiable. Public. On the record.
Doro registrations
- DIFC Commercial Licence: CL12687, issued 19 February 2026 (verify)
- DIFC Data Protection Registration: SR-708142 (verify)
- Registered office: Innovation One, Level 1, DIFC, Dubai
Operational partners
- Buyer identity verification and biometric liveness: performed by the licensed partners' regulated verification providers. Doro is not the controller of this data.
- Sanctions, PEP, and adverse media pre-screening: specialist provider under a DPA with Doro.
- Wallet and transaction screening: blockchain analytics, engaged via licensed payment partners.
- Cloud infrastructure: AWS Middle East (Bahrain region), under standard AWS Data Processing Addendum.
- Federated identity authentication: UAE PASS for UAE residents.
- Licensed payment partners: payment processing, custody, currency and virtual asset conversion, onward transfer, and settlement, across one or more licensed partners.
Third-party security certifications such as ISO 27001 and SOC 2 are part of Doro's roadmap. We list them here when we hold them, not before.
What we can share
Doro maintains a complete set of compliance documentation, available to partners and counterparties under NDA. The full pack is provided on request and updated continuously as our framework evolves.
- AML and CTF Policy (full document)
- Customer Due Diligence Procedure
- Sanctions Screening Procedure
- Suspicious Activity Reporting Procedure
- Outsourcing and Vendor Management Policy
- Data Protection Compliance Programme and ROPA
- Processor and independent controller list with DPA status
- Payment partner responsibility matrix, setting out which licensed partner is responsible for each leg of settlement
- DIFC Commercial Licence and Certificate of Incumbency
- DIFC Data Protection Registration confirmation
- Sample audit log entry from a completed transaction (redacted)
Point of contact
Mohamed Kheir, Chief Executive Officer. For compliance, partner due diligence, and data protection inquiries. mohamed@paywithdoro.com
Document control
| Item | Detail |
|---|---|
| Document title | Compliance framework page |
| Version | 1.1 |
| Effective date | 1 July 2026 |
| Supersedes | Version 1.0 (1 April 2026) |
| Owner | Mohamed Kheir, Chief Executive Officer |
| Review cycle | Annual at minimum, and on material change |
Innovation One, Level 1, Zaa'beel Second
Dubai International Financial Centre, Dubai, UAE
DIFC Registration No. CL12687
Data Protection Registration No. SR-708142
mohamed@paywithdoro.com