KSA PDPL — Operayde's in-Kingdom data posture
How the Operayde appliance satisfies Saudi Arabia's Personal Data Protection Law (PDPL), including data-residency, transfer, and cross-border requirements in Articles 29–34.
Effective: 14 Sept 2023 (enforcement 14 Sept 2024)
Why PDPL is different
Saudi Arabia's PDPL enshrines a strong default: personal data of KSA residents stays in the Kingdom unless the Data Subject has given explicit consent, or the transfer is covered by one of the narrow Article 29 / Executive Regulation exceptions. Unlike GDPR, the default is "don't transfer" — not "transfer if safeguarded".
For regulated customers (banks supervised by SAMA, insurers under SAMA CoC, healthcare providers under MoH circulars) the supervisory expectation is stronger still: commercially useful AI must be in-Kingdom from the first byte.
How the appliance maps
Article 29 — cross-border transfer. The appliance runs every inference locally. Prompts, context documents and responses remain inside the customer's premises; the only outbound traffic is metadata (health, audit-chain commitment hashes, policy bundle ETags) which carries no personal data by construction. For customers that further lock down outbound connectivity, the appliance operates in residency mode: all central-plane calls are brokered via the customer's mTLS-protected reverse tunnel, never directly.
Article 31 — security measures. The appliance enforces disk encryption at rest (LUKS2), measured boot, Secure Boot with a customer-rooted trust chain, and mTLS-only workload communication. Administrative access requires MFA and is audited into the same signed chain.
Articles 19–21 — data subject rights. The appliance exposes a
tenant-scoped erasure endpoint: a data subject's prompts and
associated audit lines can be severed from the chain (replaced with
[REDACTED] markers under a re-signed commitment) on request, while
preserving the chain's integrity for every other subject.
Article 36 — breach notification. The central plane surfaces fleet-wide security telemetry; the appliance's local agent raises a security_event signal that the central incident service converts to the Saudi Data & AI Authority's 72-hour notification clock. We generate the raw material; the customer decides whether the event meets the notification threshold.
Our position
Operayde's Riyadh-region central plane is operated in compliance with the SDAIA Controller requirements. Customers can select the ksa-central residency profile at deploy time, which pins every control-plane API call to the KSA region and refuses any configuration that would route otherwise.
For a signed copy of our PDPL gap analysis (useful as an annex to
customer DPIAs), email compliance@operayde.com.