We're ISO/IEC 27001:2022 certified, host all customer data inside the Kingdom of Saudi Arabia, and comply with Saudi PDPL. Here's the program that protects enterprise, government, and consumer data on SDC — and how to reach us.
Last reviewed · May 2026
We operate under recognized international and Saudi standards. Every certificate listed below is current; the full certificate and an executive security overview are available to prospective enterprise customers on request.
International standard for Information Security Management Systems. Covers the policies, processes, and controls used to protect customer and corporate information assets across the SDC platform.
Scope: SDC platform, supporting infrastructure, and operations.
We comply with the Kingdom's Personal Data Protection Law.
Scope: SDC acts as data processor for our customers under PDPL.
Hosting inside the Kingdom matters to our government and enterprise clients. Customer data is stored and backed up on infrastructure located in Saudi Arabia.
Production storage and backups live within KSA borders — there is no storage outside the Kingdom in normal operations.
Hosted on cloud infrastructure located in Saudi Arabia, aligned with the operational expectations of regulated industries.
Our security program combines five interlocking control families. No single control is load-bearing; every layer assumes the layer above it can fail.
Security Information and Event Management (SIEM) for continuous log monitoring, Endpoint Detection and Response (EDR) on managed devices, and an ongoing vulnerability management program.
Web Application Firewall (WAF) at the edge, encryption of data in transit and at rest, and segmented network architecture between trust boundaries.
Role-based access control, principle of least privilege, time-bound grants, and multi-factor authentication enforced on every administrative account.
Data Loss Prevention (DLP) controls and regular backups with defined Recovery Time and Recovery Point Objectives, regularly tested.
Regular Vulnerability Assessment and Penetration Testing (VAPT) by independent providers, plus ongoing security awareness training for all personnel.
If you think you've found a security issue affecting SDC, we'd like to hear from you. We commit to acknowledging your report within 24 hours and to working with you in good faith on a fix.
We won't pursue legal action against researchers who act in good faith, avoid privacy violations, and give us reasonable time to remediate before public disclosure.
Our team is happy to walk enterprise customers through our architecture under NDA.
