# DataSitr Public Control Matrix Summary

> This public artifact exposes buyer-safe per-control summaries while intentionally excluding implementation, test, evidence, source-reference, and provenance paths.
>
> Full control mappings remain available through the signed compliance reviewer bundle on request.
>
> Regulatory citations resolve to the SDAIA-published PDPL Implementing Regulations baseline at <https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2>.

## Summary

- Total controls tracked: `177`
- Controls with tests: `156`
- Controls with external dependency: `14`
- Controls currently carrying `coverage_gap=true`: `5`

## PDPL Posture

- Distinct PDPL articles referenced: `20`
- PDPL control entries with verbatim article descriptions: `23`
- PDPL control entries with test coverage: `22`
- PDPL control entries with external dependency: `2`
- PDPL control entries still in `coverage_gap`: `2`

## Controls By Type

| Type | Count |
|------|-------|
| `audit_finding` | 21 |
| `billing_integrity` | 7 |
| `claim_boundary` | 49 |
| `operational_principle` | 5 |
| `pdpl_article` | 25 |
| `routing_control` | 9 |
| `runtime_control` | 61 |

## Controls By Substantiation

| Substantiation | Count |
|----------------|-------|
| `code_test` | 148 |
| `dated_live_evidence` | 16 |
| `external_fact` | 13 |

## Public Control Index

| Control ID | Type | Substantiation | Remediation | Coverage gap | Tests | Evidence |
|------------|------|----------------|-------------|--------------|-------|----------|
| `PDPL-ART-05-LAWFULNESS-CONSENT-WITHDRAWAL` | `pdpl_article` | `code_test` |  | no | 3 | 2 |
| `PDPL-ART-01-11-SENSITIVE-DATA-DEFINITION` | `pdpl_article` | `code_test` |  | no | 2 | 3 |
| `PDPL-ART-18-DATA-DESTRUCTION` | `pdpl_article` | `code_test` |  | no | 3 | 3 |
| `PDPL-ART-29-CROSS-BORDER-TOKENIZATION` | `pdpl_article` | `code_test` |  | no | 3 | 2 |
| `PDPL-ART-04-DATA-SUBJECT-RIGHTS-FRAMEWORK` | `pdpl_article` | `code_test` |  | no | 3 | 2 |
| `PDPL-ART-07-CONSENT-NON-BUNDLING` | `pdpl_article` | `code_test` |  | no | 5 | 3 |
| `PDPL-ART-09-SUPPORTING-RIGHTS-BOUNDARY` | `pdpl_article` | `external_fact` |  | yes (acceptable) | 0 | 3 |
| `PDPL-ART-10-DATA-MINIMIZATION` | `pdpl_article` | `code_test` |  | no | 4 | 3 |
| `PDPL-ART-12-TRANSPARENT-DISCLOSURE` | `pdpl_article` | `code_test` |  | no | 2 | 3 |
| `PDPL-ART-13-COLLECTION-NOTICE` | `pdpl_article` | `code_test` |  | no | 2 | 3 |
| `PDPL-ART-04-1-RIGHT-TO-BE-INFORMED` | `pdpl_article` | `code_test` |  | no | 3 | 3 |
| `PDPL-ART-04-2-RIGHT-TO-ACCESS` | `pdpl_article` | `code_test` |  | no | 3 | 3 |
| `PDPL-ART-04-3-RIGHT-TO-PORTABILITY` | `pdpl_article` | `code_test` |  | no | 2 | 3 |
| `PDPL-ART-04-4-RIGHT-TO-RECTIFICATION` | `pdpl_article` | `code_test` |  | no | 3 | 2 |
| `PDPL-ART-04-5-RIGHT-TO-DESTRUCTION` | `pdpl_article` | `code_test` |  | no | 3 | 2 |
| `PDPL-ART-14-DATA-ACCURACY-VERIFICATION` | `pdpl_article` | `code_test` |  | no | 2 | 2 |
| `PDPL-ART-15-DISCLOSURE-PERMITTED-SITUATIONS` | `pdpl_article` | `code_test` |  | no | 2 | 2 |
| `PDPL-ART-16-DISCLOSURE-PROHIBITIONS` | `pdpl_article` | `code_test` |  | no | 2 | 2 |
| `PDPL-ART-17-CORRECTION-PROPAGATION` | `pdpl_article` | `code_test` | REMEDIATED | no | 5 | 3 |
| `PDPL-ART-19-TECHNICAL-AND-ORGANISATIONAL-MEASURES` | `pdpl_article` | `external_fact` |  | yes (acceptable) | 0 | 3 |
| `PDPL-ART-20-BREACH-NOTIFICATION` | `pdpl_article` | `code_test` |  | no | 1 | 2 |
| `PDPL-ART-22-DPIA-WORKFLOWS` | `pdpl_article` | `code_test` |  | no | 5 | 3 |
| `PDPL-ART-28-LEGACY-CROSS-BORDER-CITATION` | `pdpl_article` | `code_test` |  | no | 1 | 3 |
| `PDPL-ART-30-COMPETENT-AUTHORITY-AND-DPO` | `pdpl_article` | `external_fact` |  | no | 0 | 5 |
| `PDPL-ART-31-RECORDS-OF-PROCESSING-ACTIVITIES` | `pdpl_article` | `code_test` |  | no | 4 | 3 |
| `AUDIT-001-RAW-PII-EXTERNAL-LEAK-PROTECTION` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 1 |
| `AUDIT-003-BREACH-DEADLINE-ENFORCEMENT` | `audit_finding` | `code_test` | REMEDIATED | no | 2 | 2 |
| `AUDIT-007-CONSENT-WITHDRAWAL-DATA-LAYER` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 1 |
| `AUDIT-002-PREWRITE-COMPLIANCE-RECORDS` | `audit_finding` | `code_test` | REMEDIATED | no | 5 | 2 |
| `AUDIT-004-ARABIC-NER-SAFETY-GATE` | `audit_finding` | `code_test` | REMEDIATED | no | 4 | 2 |
| `AUDIT-005-DETECTION-SAFETY-FLOORS` | `audit_finding` | `code_test` | REMEDIATED | no | 4 | 2 |
| `AUDIT-006-SUBJECT-RIGHTS-SLA-ENFORCEMENT` | `audit_finding` | `code_test` | REMEDIATED | no | 4 | 2 |
| `AUDIT-008-JSONL-ROTATION-CHAIN-BRIDGE` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 2 |
| `AUDIT-009-RESTRICTED-HANDLING-SAFE-DEFAULTS` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 2 |
| `AUDIT-010-UNIVERSAL-TRANSFER-RECORDS` | `audit_finding` | `code_test` | REMEDIATED | no | 2 | 2 |
| `AUDIT-011-EVIDENCE-KEY-HARDENING` | `audit_finding` | `code_test` | REMEDIATED | no | 4 | 2 |
| `AUDIT-012-DATABASE-RETENTION-CONSTRAINTS` | `audit_finding` | `code_test` | REMEDIATED | no | 2 | 2 |
| `AUDIT-013-ENV-PERMISSIONS-FAIL-CLOSED` | `audit_finding` | `code_test` | REMEDIATED | no | 2 | 2 |
| `AUDIT-014-ROTATION-SCRIPT-KEY-LEAK` | `audit_finding` | `code_test` | REMEDIATED | no | 1 | 1 |
| `AUDIT-015-LEGACY-KDF-V1-DEPRECATION` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 2 |
| `AUDIT-016-REGULATOR-IP-DENIAL-ALERTING` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 2 |
| `AUDIT-017-QUASI-RISK-POLICY-SEPARATION` | `audit_finding` | `code_test` | REMEDIATED | no | 3 | 2 |
| `AUDIT-018-DTE-ARBITER-SAFETY-FLOOR` | `audit_finding` | `code_test` | REMEDIATED | no | 4 | 1 |
| `AUDIT-019-PER-TENANT-SENSITIVE-THRESHOLD-OVERRIDE-MISSING` | `audit_finding` | `code_test` | REMEDIATED | no | 5 | 3 |
| `AUDIT-020-OBFUSCATED-FRAGMENT-SILENT-DROP` | `audit_finding` | `code_test` | REMEDIATED | no | 6 | 5 |
| `AUDIT-021-TREND-HISTORY-DISCLOSURE-FRAGMENTATION` | `audit_finding` | `external_fact` | REMEDIATED | no | 0 | 4 |
| `CLAIM-VAULT-AES256GCM-PER-TENANT-DERIVATION` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `CLAIM-THREE-LANE-PII-ROUTING` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `CLAIM-DETECTOR-PRESIDIO-SAUDI-RECOGNIZERS` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `CLAIM-OIDC-SSO-COOKIE-RECOVERY` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `CLAIM-TENANT-ISOLATION-LAYERS` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-REGULATED-TENANT-MAPPING-FAIL-CLOSED` | `claim_boundary` | `code_test` |  | no | 1 | 2 |
| `CLAIM-PROCESSING-RECORD-INTEGRITY-NEWER-HMAC` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-REDIS-RATE-LIMIT-AUTH-BRUTEFORCE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-PROVIDER-CIRCUIT-BREAKERS` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-ENCRYPTED-OFFHOST-BACKUPS` | `claim_boundary` | `dated_live_evidence` |  | no | 1 | 2 |
| `CLAIM-GUARDED-DEPLOY-ROLLBACK` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-SECURITY-TXT-DISCLOSURE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-KMS-STARTUP-BOOTSTRAP-LIVE` | `claim_boundary` | `dated_live_evidence` |  | no | 1 | 3 |
| `CLAIM-ACK-TWO-POD-TWO-NODE-PROOF` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-ARABIC-NER-LIVE-ACK-PROOF` | `claim_boundary` | `dated_live_evidence` |  | no | 1 | 2 |
| `CLAIM-PLANNED-ACK-CONTINUITY-PROOF` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-DASHBOARD-LOGIN-SUBMIT-HARDENING` | `claim_boundary` | `code_test` |  | no | 5 | 1 |
| `CLAIM-SELF-ASSESSED-SECURITY-SCANS` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-COMPLIANCE-GOVERNANCE-REGISTERS-LIVE` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `CLAIM-CONSENT-WITHDRAWAL-AND-PDF-LIVE` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `CLAIM-COMPLIANCE-API-SURFACES-LIVE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-COMPLIANCE-METRICS-LIVE-IN-CODE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-COMPLIANCE-DASHBOARD-SURFACES-LIVE` | `claim_boundary` | `dated_live_evidence` |  | yes (medium) | 0 | 2 |
| `CLAIM-SDAIA-DPIA-PHASES-LIVE` | `claim_boundary` | `code_test` |  | no | 1 | 2 |
| `CLAIM-DASHBOARD-HTML-NO-CACHE` | `claim_boundary` | `code_test` |  | no | 1 | 2 |
| `CLAIM-OIDC-CALLBACK-FAILURE-REDIRECT` | `claim_boundary` | `code_test` |  | no | 1 | 2 |
| `CLAIM-DETECTOR-SAUDI-NAME-CORPUS-LIVE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-DETECTOR-FP-SUPPRESSION-LIVE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-DETECTOR-MIXED-SCRIPT-RECOVERY-LIVE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-DETECTOR-P95-CLOSURE-LIVE` | `claim_boundary` | `code_test` |  | no | 1 | 2 |
| `CLAIM-TENANT-BYOK-HSM-EXPANSION-PENDING` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-INDEPENDENT-SECURITY-REVIEW-PENDING` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-SIGNED-TRANSFER-PACKAGE-PENDING` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-IMMUTABLE-EVIDENCE-NOT-LIVE` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-SOC2-ISO27001-NOT-OBTAINED` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-PDPL-LEGAL-OPINION-NOT-OBTAINED` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-PUBLIC-LOAD-BASELINE-BOUNDED` | `claim_boundary` | `dated_live_evidence` |  | no | 1 | 3 |
| `CLAIM-GOVERNANCE-WORKFLOWS-NOT-YET-EXERCISED` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-DPO-AND-AI-AGENT-REGISTRATION` | `claim_boundary` | `external_fact` |  | no | 0 | 0 |
| `CLAIM-BROWSER-SESSION-PROOF-SCOPE` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 3 |
| `CLAIM-SELF-CONTAINED-OPERATIONS` | `claim_boundary` | `code_test` |  | no | 3 | 3 |
| `CLAIM-FORGEJO-CI-RUNTIME` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-CONTROL-MATRIX-CI-VALIDATED` | `claim_boundary` | `code_test` |  | no | 1 | 3 |
| `CLAIM-COMPLIANCE-JSONL-SINGLE-POD-BOUNDARY` | `claim_boundary` | `code_test` |  | no | 1 | 2 |
| `CLAIM-BILLING-INTEGRITY-LIVE` | `claim_boundary` | `code_test` |  | no | 2 | 2 |
| `CLAIM-GREEN-LANE-LEGAL-MEMO-INTERNAL-ONLY` | `claim_boundary` | `dated_live_evidence` |  | no | 0 | 2 |
| `CLAIM-ROPA-DRILLDOWN-LOCAL-ONLY` | `claim_boundary` | `code_test` |  | no | 1 | 3 |
| `CLAIM-DETECTOR-BENCHMARK-SNAPSHOT-PUBLISHED` | `claim_boundary` | `code_test` |  | no | 7 | 4 |
| `CLAIM-BYOK-CODE-READY-NOT-LIVE` | `claim_boundary` | `code_test` |  | no | 3 | 2 |
| `ROUTE-GREEN-LANE-TOKENIZATION-GATE` | `routing_control` | `code_test` |  | no | 6 | 2 |
| `ROUTE-RED-LANE-SENSITIVE-DATA-BLOCK` | `routing_control` | `code_test` |  | no | 2 | 2 |
| `PRINCIPLE-SELF-CONTAINED-OPERATION` | `operational_principle` | `code_test` |  | no | 1 | 3 |
| `BILLING-HASH-CHAIN-INTEGRITY` | `billing_integrity` | `code_test` |  | no | 2 | 2 |
| `BILLING-RETENTION-GATE` | `billing_integrity` | `code_test` |  | no | 2 | 2 |
| `RUNTIME-VAULT-AES256GCM-ENCRYPTION` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `RUNTIME-KMS-MASTER-KEY-BOOTSTRAP` | `runtime_control` | `code_test` |  | no | 2 | 3 |
| `ROUTE-AMBER-IN-KINGDOM-ENFORCEMENT` | `routing_control` | `code_test` |  | no | 2 | 2 |
| `ROUTE-BLOCK-LANE-FAIL-CLOSED` | `routing_control` | `code_test` |  | no | 1 | 2 |
| `ROUTE-LOW-CONFIDENCE-REROUTE` | `routing_control` | `code_test` |  | no | 1 | 2 |
| `ROUTE-LANE-SCOPED-PROVIDER-FAILURE` | `routing_control` | `code_test` |  | no | 2 | 2 |
| `ROUTE-ARABIC-NER-DEGRADED-REROUTE` | `routing_control` | `code_test` |  | no | 2 | 2 |
| `ROUTE-QUASI-RISK-POLICY-GATE` | `routing_control` | `code_test` |  | no | 1 | 2 |
| `DETECTOR-TECHNICAL-TEXT-FP-SUPPRESSION` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `DETECTOR-MIXED-SCRIPT-SAUDI-NAME-RECOVERY` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `COMPLIANCE-PROCESSING-REGISTER-INTEGRITY` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `COMPLIANCE-TRANSFER-REGISTER-INTEGRITY` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `COMPLIANCE-BREACH-REGISTER-INTEGRITY` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `COMPLIANCE-SUBJECT-RIGHTS-REGISTER-INTEGRITY` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `COMPLIANCE-TRA-REGISTER-INTEGRITY` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `COMPLIANCE-CHAIN-VERIFICATION-ENDPOINTS` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `BILLING-VERIFY-CHAIN-ENDPOINT` | `billing_integrity` | `code_test` |  | no | 2 | 1 |
| `BILLING-DELETION-TOMBSTONE-COMPANION` | `billing_integrity` | `code_test` |  | no | 2 | 1 |
| `BILLING-DECIMAL-PRECISION` | `billing_integrity` | `code_test` |  | no | 1 | 1 |
| `BILLING-INTEGRITY-METRICS` | `billing_integrity` | `code_test` |  | no | 1 | 1 |
| `BILLING-HMAC-ROTATION-COMPATIBILITY` | `billing_integrity` | `code_test` |  | no | 1 | 1 |
| `WEBHOOK-SIGNED-DELIVERY` | `runtime_control` | `code_test` |  | no | 1 | 1 |
| `WEBHOOK-SSRF-ALLOWLIST-VALIDATION` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `WEBHOOK-DURABLE-QUEUE-DELIVERY` | `runtime_control` | `code_test` |  | no | 1 | 1 |
| `RUNTIME-RATE-LIMIT-ENFORCEMENT` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `RUNTIME-CORS-LOCKDOWN` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `SURFACED-RUNTIME-API-KEY-HMAC-DECOUPLING` | `runtime_control` | `code_test` |  | no | 4 | 3 |
| `COMPLIANCE-INTEGRITY-METRICS` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `PRINCIPLE-SELF-CONTAINED-ALLOWLIST-BOUNDARY` | `operational_principle` | `code_test` |  | no | 1 | 2 |
| `RUNTIME-INBOX-MONITOR-LOCAL-GATEWAY` | `runtime_control` | `code_test` |  | no | 3 | 3 |
| `RUNTIME-SAUDI-DATA-ENCLAVE-CUSTODY` | `runtime_control` | `code_test` |  | no | 5 | 3 |
| `RUNTIME-SAUDI-TRAINING-PREFLIGHT` | `runtime_control` | `code_test` |  | no | 5 | 3 |
| `RUNTIME-HEALTH-NONBLOCKING-AUTHZ-SUMMARY` | `runtime_control` | `code_test` |  | no | 2 | 3 |
| `RUNTIME-DEPLOY-PACKAGE-OPERATIONAL-DATA-EXCLUSION` | `runtime_control` | `code_test` |  | no | 3 | 3 |
| `RUNTIME-API-HEAD-HEALTH-PROBES` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `RUNTIME-INBOX-MONITOR-RECEIPT-RETENTION` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `RUNTIME-DATA-ENCLAVE-AUDIT-CHAIN-ROTATION` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `RUNTIME-DASHBOARD-LANE-BADGE-FAIL-CLOSED` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `PROCESS-DETECTOR-AND-EXCEPTION-HARDENING-PLANS` | `operational_principle` | `external_fact` |  | yes (medium) | 1 | 2 |
| `HA.001` | `runtime_control` | `dated_live_evidence` |  | yes (medium) | 1 | 6 |
| `HA.002` | `routing_control` | `external_fact` |  | no | 0 | 2 |
| `HA.003` | `runtime_control` | `dated_live_evidence` |  | no | 1 | 2 |
| `HA.004` | `runtime_control` | `code_test` |  | no | 4 | 3 |
| `HA.005` | `operational_principle` | `dated_live_evidence` |  | no | 2 | 5 |
| `CONTROL-PLANE-SA-ID-CHECKSUM` | `runtime_control` | `code_test` |  | no | 3 | 1 |
| `CONTROL-PLANE-PROVIDER-MODEL-ALLOWLIST-DEFAULT-DENY` | `runtime_control` | `code_test` |  | no | 3 | 1 |
| `CONTROL-PLANE-AUDIT-VERIFY-PARTIAL-JSON-BROKEN` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-AUDIT-APPEND-FAILURE-SYSTEM-TRAIL` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-PER-TENANT-AUDIT-CHAINS` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-AUDIT-TENANT-MARKER-CHAIN` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-AUDIT-GLOBAL-CHAIN-MIGRATION` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-SHADOW-GATEWAY-HOOK` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-SHADOW-COMPARE-EVENT-MINIMIZATION` | `runtime_control` | `code_test` |  | no | 2 | 1 |
| `CONTROL-PLANE-SHADOW-FAILURE-ISOLATION` | `runtime_control` | `code_test` |  | no | 3 | 1 |
| `CONTROL-PLANE-SHADOW-DIVERGENCE-METRICS` | `runtime_control` | `code_test` |  | no | 3 | 1 |
| `CONTROL-PLANE-SIGNED-POLICY-LOAD` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `CONTROL-PLANE-SIGNED-POLICY-TAMPER-REJECT` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `CONTROL-PLANE-POLICY-VERSION-BUMP-AUDIT` | `runtime_control` | `code_test` |  | no | 1 | 2 |
| `BREACH-DESK-EVENT-SCHEMA-ROUNDTRIP` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `BREACH-DESK-DEADLINE-COUNTDOWN` | `runtime_control` | `code_test` |  | no | 3 | 2 |
| `BREACH-DESK-FILE-REGISTER-API` | `runtime_control` | `code_test` |  | no | 3 | 2 |
| `BREACH-DESK-AUDIT-REGISTERED-EVENT` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `BREACH-DESK-AUDIT-72H-NOTIFICATION-PROOF` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `BREACH-DESK-AUDIT-STATE-TRANSITIONS` | `runtime_control` | `code_test` |  | no | 4 | 2 |
| `BREACH-DESK-AUDIT-TENANT-ISOLATION-SANITIZATION` | `runtime_control` | `code_test` |  | no | 4 | 2 |
| `BREACH-DESK-CLI-LIFECYCLE-COMMANDS` | `runtime_control` | `code_test` |  | no | 4 | 2 |
| `BREACH-DESK-CLI-NOTIFICATION-RECORDING-NO-SEND` | `runtime_control` | `code_test` |  | no | 3 | 2 |
| `BREACH-DESK-CLI-RUNBOOK-REPORT-COUNTDOWN` | `runtime_control` | `code_test` |  | no | 4 | 2 |
| `BREACH-DESK-NOTIFICATION-DRAFT-AUTHORITY` | `runtime_control` | `code_test` |  | no | 3 | 3 |
| `BREACH-DESK-NOTIFICATION-DRAFT-SUBJECT` | `runtime_control` | `code_test` |  | no | 2 | 3 |
| `BREACH-DESK-NOTIFICATION-GLOSSARY-VERIFIED` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `CONTROL-PLANE-MAIL-GUARD-METADATA-SCOPE` | `operational_principle` | `code_test` |  | no | 2 | 1 |
| `COMPLIANCE-MATRIX-SDAIA-AI-ADOPTION-MAPPING` | `runtime_control` | `code_test` |  | no | 2 | 3 |
| `COMPLIANCE-MATRIX-NCA-CYBERSECURITY-MAPPING` | `runtime_control` | `code_test` |  | no | 2 | 3 |
| `COST-OPTIMIZER-USAGE-TRACKING` | `runtime_control` | `code_test` |  | no | 3 | 2 |
| `COST-OPTIMIZER-PSEUDONYMOUS-USER-HASH` | `runtime_control` | `code_test` |  | no | 2 | 2 |
| `COST-OPTIMIZER-USAGE-AUDIT-EVENT-BUCKETED` | `runtime_control` | `code_test` |  | no | 3 | 2 |

## Implementing Regulation Cross-Reference

Each row links the control to the SDAIA-published PDPL Implementing Regulation article(s) that elaborate the obligation. Source page: <https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2>.

| Control ID | Implementing Regulation citation(s) |
|------------|--------------------------------------|
| `PDPL-ART-05-LAWFULNESS-CONSENT-WITHDRAWAL` | [Implementing Regulation Art. 11 — Consent](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 12 — Consent withdrawal](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-01-11-SENSITIVE-DATA-DEFINITION` | [Implementing Regulation Art. 25.1.a — DPIA triggered by Sensitive Data processing](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-18-DATA-DESTRUCTION` | [Implementing Regulation Art. 8 — Right to Request Destruction](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-29-CROSS-BORDER-TOKENIZATION` | [Cross-Border Transfer Regulation Art. 2 — General Provisions](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Cross-Border Transfer Regulation Art. 5 — Appropriate safeguards (BCR / SCC / Certifications / Codes of Conduct)](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Cross-Border Transfer Regulation Art. 8 — Risk Assessment of Transfer](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-04-DATA-SUBJECT-RIGHTS-FRAMEWORK` | [Implementing Regulation Art. 3 — General provisions for Data Subject Rights](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 10 — Means of Communication](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-07-CONSENT-NON-BUNDLING` | [Implementing Regulation Art. 11 — Consent](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-09-SUPPORTING-RIGHTS-BOUNDARY` | [Implementing Regulation Art. 3 — General provisions for Data Subject Rights](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-10-DATA-MINIMIZATION` | [Implementing Regulation Art. 19 — Data Minimisation](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 18 — Purpose limitation](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 15 — Collecting Data from Third Parties](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-12-TRANSPARENT-DISCLOSURE` | [Implementing Regulation Art. 4 — Right to be informed](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 20 — Disclosure of Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-13-COLLECTION-NOTICE` | [Implementing Regulation Art. 4 — Right to be informed (notice at collection)](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-04-1-RIGHT-TO-BE-INFORMED` | [Implementing Regulation Art. 4 — Right to be informed](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-04-2-RIGHT-TO-ACCESS` | [Implementing Regulation Art. 5 — Right of access to Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 6 — Right to Request Access to Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-04-3-RIGHT-TO-PORTABILITY` | [Implementing Regulation Art. 6 — Readable-format portability](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-04-4-RIGHT-TO-RECTIFICATION` | [Implementing Regulation Art. 7 — Right to Request Correction](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 22 — Correction of Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-04-5-RIGHT-TO-DESTRUCTION` | [Implementing Regulation Art. 8 — Right to Request Destruction](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-14-DATA-ACCURACY-VERIFICATION` | [Implementing Regulation Art. 22 — Correction of Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-15-DISCLOSURE-PERMITTED-SITUATIONS` | [Implementing Regulation Art. 20 — Disclosure of Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-16-DISCLOSURE-PROHIBITIONS` | [Implementing Regulation Art. 20 — Disclosure limits](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-17-CORRECTION-PROPAGATION` | [Implementing Regulation Art. 7 — Right to Request Correction](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Implementing Regulation Art. 22 — Correction of Personal Data](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-19-TECHNICAL-AND-ORGANISATIONAL-MEASURES` | [Implementing Regulation Art. 23 — Information Security](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-20-BREACH-NOTIFICATION` | [Implementing Regulation Art. 24 — Notification of Personal Data Breach](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-22-DPIA-WORKFLOWS` | [Implementing Regulation Art. 25 — Impact Assessment](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-28-LEGACY-CROSS-BORDER-CITATION` | [Cross-Border Transfer Regulation Art. 2 — General Provisions](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-30-COMPETENT-AUTHORITY-AND-DPO` | [Implementing Regulation Art. 32 — Data Protection Officer](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `PDPL-ART-31-RECORDS-OF-PROCESSING-ACTIVITIES` | [Implementing Regulation Art. 33 — Records of Personal Data Processing Activities](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `AUDIT-003-BREACH-DEADLINE-ENFORCEMENT` | [Implementing Regulation Art. 24 — Notification of Personal Data Breach (72-hour clock)](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `AUDIT-007-CONSENT-WITHDRAWAL-DATA-LAYER` | [Implementing Regulation Art. 12 — Consent withdrawal](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `AUDIT-006-SUBJECT-RIGHTS-SLA-ENFORCEMENT` | [Implementing Regulation Art. 3 — 30-day rights-request SLA](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `CLAIM-CONSENT-WITHDRAWAL-AND-PDF-LIVE` | [Implementing Regulation Art. 12 — Consent withdrawal](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `CLAIM-SDAIA-DPIA-PHASES-LIVE` | [Implementing Regulation Art. 25 — Impact Assessment](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `CLAIM-DPO-AND-AI-AGENT-REGISTRATION` | [Implementing Regulation Art. 32 — Data Protection Officer](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `CLAIM-ROPA-DRILLDOWN-LOCAL-ONLY` | [Implementing Regulation Art. 33 — Records of Personal Data Processing Activities](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `ROUTE-RED-LANE-SENSITIVE-DATA-BLOCK` | [Implementing Regulation Art. 25.1.a — Sensitive Data DPIA trigger; red-lane block reflects DPIA-required posture](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `COMPLIANCE-PROCESSING-REGISTER-INTEGRITY` | [Implementing Regulation Art. 33 — Records of Personal Data Processing Activities](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `COMPLIANCE-TRANSFER-REGISTER-INTEGRITY` | [Cross-Border Transfer Regulation Art. 2 — Cross-border transfer record-keeping](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2); [Cross-Border Transfer Regulation Art. 8 — Risk Assessment record](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `COMPLIANCE-BREACH-REGISTER-INTEGRITY` | [Implementing Regulation Art. 24 — Personal Data Breach record](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `COMPLIANCE-SUBJECT-RIGHTS-REGISTER-INTEGRITY` | [Implementing Regulation Art. 3 — Subject Rights request record](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |
| `COMPLIANCE-TRA-REGISTER-INTEGRITY` | [Cross-Border Transfer Regulation Art. 8 — Transfer Risk Assessment record](https://dgp.sdaia.gov.sa/wps/portal/pdp/knowledgecenter/details/PDPL2) |

## Request The Full Bundle

- Buyer-safe reviewer guide: [`/resources/compliance-reviewer-pack-20260518.md`](/resources/compliance-reviewer-pack-20260518.md)
- Public compliance summary: [`/compliance`](/compliance)
- Contact path for reviewer-bundle access: [`/contact`](/contact)