01

Compliance.

This page gives reviewers the public compliance surface: the 177-control matrix, signed reviewer bundle, dated HA evidence, PDPL citation checks, and published constraints. Buyer-safe summaries are here; control-level mappings are in the reviewer bundle on request.

02

Executive summary

A machine-validated control-to-test traceability matrix spanning PDPL articles, audit findings, claim-boundary lines, and runtime controls. 177 controls tracked. Sanitized summary on this page; the signed reviewer bundle carries the full matrix with control-level mappings on request.

The live pilot includes breach-register management, subject-rights SLA tracking, consent withdrawal, subject export PDF, transfer-risk-assessment registers, and related admin/regulator/dashboard surfaces. The May 4 customer-route cutover baseline (current) continues to bootstrap its startup master key through Alibaba KMS; the May 16 GCP Dammam drill-standby exercise validates DNS/GKE/TLS routing only; the April 21 guarded rollout baseline remains a dated deployment proof.

PDPL enforcement is operational. As of January 2026, SDAIA confirmed 48 enforcement decisions covering unlawful processing, weak security controls, and unconsented marketing — administrative fines up to SAR 5 million, doubled for repeat violations, with intentional sensitive-data violations carrying up to two years' imprisonment. The control matrix, signed reviewer bundle, and machine-readable compliance records on this page are the implementation answer to that environment: not a future-risk story, but a here-now accountability surface that reviewers can verify independently.

Control traceability 177 controls tracked; 156 include test references

Open the public control-matrix JSON or Markdown to inspect the current full-matrix summary counts, PDPL article-scoped sub-counts, and coverage posture. Request the signed reviewer bundle for control-level references.

Reviewer bundle Ed25519-signed reviewer bundle with verification instructions

The reviewer pack explains how to verify the manifest, signature, and included control-matrix artifacts independently.

PDPL source-of-truth Authoritative PDPL text and per-citation audit tooling

The authoritative SDAIA-published PDPL English text is included in-repo, and a per-citation validator audits article references across the codebase.

Browser Guard Detector and audit controls for in-browser AI submission checks

The Eid hardening track documents full bilingual labels, live-detect fallback, signed policy refresh, seven-day browser audit chains, telemetry upload, and performance-budget evidence for Browser Guard.

03

PDPL coverage + audit trail

Seven published artifacts buyers can open right now. Public matrix summary, reviewer brief, control matrix (JSON + Markdown), public trust report, reviewer pack, PDPL citation audit, and billing-integrity proof.

PDPL coverage The control matrix spans PDPL articles with authoritative article text from the SDAIA-published English PDPL source. The public artifact exposes buyer-safe PDPL posture counts, while the signed reviewer bundle carries the control-level mappings.

Open public matrix summary →

Audit findings Internal audit findings remain first-class controls in the private matrix and reviewer bundle, so qualified reviewers can trace audit-visible issues to code, tests, and dated evidence rather than to summary prose alone.

Open reviewer brief →

Control matrix Machine-readable and human-readable public summary of the control inventory, PDPL posture, and coverage posture. Control-level implementation, test, and evidence mappings stay inside the signed reviewer bundle.

Open JSON →
Open Markdown →

Public trust report Sanitized public summary of what the control matrix proves: substantiation counts, last validation time, and explicit claim-boundary caveats without internal file paths or reviewer-only mappings.

Open report →
Open JSON →

Compliance reviewer pack Buyer-safe reviewer brief for the signed compliance bundle: scope, verification steps, current counts, and known limits.

Open reviewer pack →

PDPL citation audit The authoritative SDAIA-published PDPL English text is included in-repo at docs/pdpl-text/, and scripts/validate_pdpl_citations.py enables automated audit of article references across the codebase.

Read trust notes →

Billing integrity Billing events are written with SHA-256 hash chain continuity and HMAC authentication for newer records. Retention is enforced at the data layer with a 10-year minimum; deletions within retention are refused and produce a companion compliance record.

Open reviewer pack →

Browser Guard controls The detector/audit architecture covers the full 26-category bilingual label registry, authenticated live /v1/detect with a bundled detector floor, signed policy refresh, browser-local SHA-256 audit chains, paired-device telemetry upload, latency-budget evidence, and a separate recall corpus. Public claims remain bounded to documented controls until deployment evidence is refreshed.

Request reviewer evidence →

04

How to verify

Two commands. Numbers and wording matter on a compliance page — validate them from the published JSON and the signed reviewer bundle, not from screenshots or forwarded notes.

curl -s https://datasitr.com/resources/control_matrix.json | jq '.summary' python3 scripts/verify_compliance_reviewer_bundle.py <bundle-path> --trusted-public-key <trusted-key.pem>

The benchmark page publishes the current public detector benchmark snapshot, and the resources page links to the latest load-baseline and precision/recall JSON artifacts.

05

Operational security controls

Day-to-day controls that sit alongside the documented PDPL evidence. None of these replaces the external attestation listed in published constraints, but together they describe how the running system is monitored, scanned, and gated against drift.

  • Edge WAFCloud Armor blocks OWASP Top 10 attack patterns at the Dammam drill-standby ingress during exercises; pre-configured rule sets for SQL injection, cross-site scripting, local and remote file inclusion, and remote code execution are attached to the GKE Ingress backend.
  • Uptime monitoringCloud Monitoring uptime checks poll /healthz every five minutes from three global regions; the operator is alerted by email if the pass rate falls below 50% over a three-minute window.
  • Vulnerability scan programOWASP ZAP, nuclei, and Trivy run on a documented cadence with registered-DPO review; the workflow lives at .github/workflows/security-scan.yml and findings are stored under evidence/security-scans/.
  • Security questionnaire librarydocs/security/questionnaire-response-library.md covers the categories enterprise procurement and vendor security teams ask about, and is available to qualified buyers on request alongside the signed reviewer bundle.
  • HA evidence freshness gateCI refuses to ship if the high-availability drill evidence is older than 168 hours; stale evidence blocks the next deploy until a new drill is captured and signed with the published Ed25519 key.
06

Published constraints

Every constraint we publish lives here, in one place, by design. Every other page on this site links to this list rather than maintaining its own — procurement, security, and legal reviewers all read the same wording.

  • External penetration testnot yet completed by an independent third party.
  • Provider SCC / DPA / TIA packagenot yet completed; no external counsel sign-off claimed today.
  • SOC 2 / ISO 27001 certificationcontrols implemented in product; independent audit planned, not yet booked.
  • Tenant BYOK + HSM custodyout of scope for current live claims; KMS startup bootstrap on the serving ACK image is the live boundary.
  • Multi-AZ ACK ingress + Dammam drill standbyMulti-AZ ACK ingress with verified cutover + 4-hour soak; operator-directed GCP Dammam drill-standby exercise completed for DNS/GKE/TLS routing. Remaining boundaries: cross-cloud DB replication, auth failover, HSM custody, regulator-issued certification, full-vault verification, and unplanned full-region failure tolerance.
  • Regulator approvalnot claimed today; current regulatory standing (NDGP-registered, SDAIA application in progress) is published in writing on /trust.

Evaluate with the evidence in hand.

Evaluate →