Tax advisory for cybersecurity firms, data centres, and digital forensics.
Managed security services — standard-rated. Penetration testing — place of supply rules. Incident response — emergency vs retainer billing. SOC-as-a-service — electronically supplied.
Co-location — supply of services (not property lease). Cloud hosting — electronically supplied service. Disaster recovery — composite supply analysis. Power and cooling recharges.
Data analytics and insights — standard-rated. PDPL compliance consulting — standard-rated. Data subject access request processing. Data protection officer (DPO) outsourcing.
Bahrain's Personal Data Protection Law (PDPL) requires data controllers and processors to implement appropriate security measures. Fines for non-compliance: up to BD 20,000. These fines are not VAT-deductible. However, consulting fees for PDPL compliance are standard-rated and the input VAT is fully recoverable.
