IDFA

Compliance & Trust

We govern our own AI the way we help clients govern theirs.

We are an AI-native firm, and we govern our own AI the way we help clients govern theirs. Our engagements are aligned with the Kingdom's regulatory frameworks, PDPL, the NCA Essential Cybersecurity Controls, and the SAMA Cybersecurity Framework, and with SDAIA's responsible-AI guidelines. We govern our AI practice to ISO/IEC 42001 and information security to ISO/IEC 27001. We design for in-Kingdom data residency and sovereign-compatible architecture, with human oversight built into every workflow.

Frameworks and how we work with them.

We help clients become aligned and audit-ready. We are explicit about what is a certification, what is alignment, and what is design intent.

PDPL

Personal Data Protection Law

Engagements aligned

Overseen by SDAIA

We help clients comply with PDPL data-handling obligations, including the 72-hour breach-notification window to SDAIA. We never describe ourselves as 'PDPL-certified.' We help you align.

NCA ECC

National Cybersecurity Authority Essential Cybersecurity Controls

Engagements aligned

National Cybersecurity Authority

We design and operationalize controls mapped to NCA ECC, including the NCNICC baseline for non-CNI private-sector entities where relevant.

SAMA CSF

SAMA Cybersecurity Framework

Engagements aligned

Saudi Central Bank

We help financial institutions move from gap assessment to continuous, audit-ready alignment with SAMA's framework expectations.

SDAIA

Saudi Data and AI Authority, responsible-AI guidelines

Engagements aligned

Saudi Data and AI Authority

Our work follows SDAIA's responsible-AI guidelines, including transparency, human oversight, and Arabic-first language support.

ISO/IEC 42001

AI Management System

{{TODO: certified vs in-progress vs aligned}}

International standard

We govern our AI practice to ISO/IEC 42001. This pairs with SDAIA's responsible-AI guidelines as our internal AI management baseline.

ISO/IEC 27001

Information Security Management

{{TODO: certified vs in-progress vs aligned}}

International standard

We govern our information security to ISO/IEC 27001. Status confirmed per engagement on request.

How we treat data and decisions.

In-Kingdom data residency

We design for in-Kingdom residency by default. Where cross-border processing is required, we document and consent it explicitly.

Human oversight

Every workflow we build has a defined human-in-command point. Agents do not act unattended in regulated paths.

Traceable AI

Every model output we deliver in production is grounded in retrievable context, with a documented evidence trail.

Sovereign-compatible architecture

We deploy on architectures that can run inside Kingdom-controlled environments where the engagement requires it.

PDPL is live, and the stakes are real.

PDPL has been in full enforcement since 14 September 2024. Fines reach SAR 5 million per violation, doubled for repeat offenses, with a 72-hour breach-notification window to SDAIA. We help you build the muscle to handle all three.

Re-verify PDPL enforcement specifics against SDAIA primary sources at publish time.

Want a copy of our governance posture?

We share a detailed trust pack with clients and prospective partners on request.

Home