Disclosure of sub-processors DataSitr engages, and the upstream AI providers tenants can configure. Published in support of PDPL Implementing Regulation Article 17(5) and Personal Data Transfer Outside the Kingdom Regulation Article 5(2)(b).
These are the parties DataSitr engages directly to operate the gateway. Any addition or replacement is communicated to tenants in advance with an objection window, per the Data Processing Agreement.
Alibaba Cloud (Saudi region)
Container orchestration via ACK; encrypted object storage via OSS for backups; processes tenant data in transit and at rest under DataSitr-managed encryption.
Riyadh, Kingdom of Saudi Arabia
2026-04
Alibaba KMS
Startup master-key bootstrap for the in-Kingdom vault; does not access tenant Personal Data directly.
Riyadh, Kingdom of Saudi Arabia
2026-04
Google Cloud via CNTXT (Saudi Arabia region)
GKE Autopilot drill-standby compute, preparatory Cloud SQL standby database infrastructure, Artifact Registry (CMEK-encrypted) image storage, Cloud Build for container image builds, Cloud Armor edge WAF protecting the drill ingress, Cloud Monitoring uptime checks while the drill footprint is enabled, Cloud DNS for gcp.datasitr.com, and evidence/backup mirror storage. Phase A preparatory infrastructure; customer data routing starts only after operator-approved replication/cutover and required tenant notice.
Dammam, Kingdom of Saudi Arabia (me-central2)
2026-05
Cloudflare, Inc.
Authoritative DNS resolver for datasitr.com and subdomains; processes DNS query metadata (source resolver IPs, requested hostnames). Configured in DNS-only mode (not CDN/proxy); does not see customer HTTPS payloads or access tenant Personal Data.
United States (global anycast network)
2026-03
Llama is disclosed as a model family hosted through tenant-configured Groq, STC SambaNova, or HUMAIN endpoints. Meta is not a direct DataSitr recipient unless a tenant separately configures a Meta-hosted endpoint.
These providers are selected by the tenant through tenant policy. They are not standing sub-processors of DataSitr; they are independent recipients of tokenized or routed text under the tenant's policy choices. Each tenant remains responsible for any contracts, transfer mechanisms, and disclosures covering its own relationship with the upstream provider.
Anthropic
Claude
Green-lane tokenized external
Outside Kingdom — requires tenant Article 5 basis
OpenAI
GPT
Green-lane tokenized external
Outside Kingdom — requires tenant Article 5 basis
Gemini
Green-lane tokenized external
Outside Kingdom — requires tenant Article 5 basis
Groq
various
Green-lane tokenized external (or in-Kingdom variant when configured)
Outside Kingdom (US) for default tier; in-Kingdom variant when configured
STC SambaNova
various
In-Kingdom (currently rate-limited on the live pilot baseline)
Inside Kingdom
HUMAIN
Saudi-hosted
In-Kingdom amber/red
Inside Kingdom
Tenants may object to a proposed change to standing sub-processors by writing to dpo@datasitr.com within the objection window stated in the Data Processing Agreement. If the objection cannot be resolved, the tenant may terminate the affected processing under the Data Processing Agreement.
This page was last updated on 2026-05-16. Version 1.1.