01Enterprise

Enterprise.

Enterprise teams get SSO, tenant isolation, and a separate regulator portal. Current continuity proof covers five dated continuity drills and the May 4 ACK customer route; every boundary is explicit.

Verifiable today Available during evaluation On the roadmap

// Every claim on this page is tagged. Green is in product now; the rest is dated and named — we never blur that line.

Enterprise auth Standards-based SSO, role-scoped access, and immediate key revocation are already in product

This is an operating surface, not a slide-deck promise.

Procurement path One-click compliance bundle, scoped signed-package generation, and buyer-visible trust notes reduce diligence friction

The system is structured for review, not just for runtime traffic.

Regulator posture A separate read-only regulator portal is available during evaluation, with structured review materials and scoped signed-package generation

That separation is intentional and easier to defend during government review.

02Regulatory standing

Regulatory standing, in writing.

NDGP-registered, not licensed. We hold no AI accreditation or licence today, and we won't name one until it's actually issued.

NDGP: registered No AI accreditation held
PDPL DPO Registered #3260005651
PDPL Aligned Art. 5–24
NDGP Registered Not licensed
In-Kingdom Hosted Saudi cloud · SCCC

NDGP-registered data services provider — not licensed. We hold no AI accreditation or licence today. Registered DPO #3260005651, in-Kingdom on Saudi cloud (SCCC), PDPL-aligned.

Trust & evidence → · Compliance & controls → · Detector benchmarks →

03Data residency and privacy

Raw personal data stays in the Kingdom by default.

Only tokenized green-route text can leave Saudi Arabia. Residency, egress, the in-Kingdom lock, and crypto are described here once — the same model applies across every deployment.

In product
  • Residencyfor Saudi-hosted and Saudi customer-hosted deployments, all stateful surfaces — vault rows, compliance records, audit logs, and API keys — remain stored in Saudi Arabia. The runtime topology is identical across hosted-pilot, customer-cloud, and on-premises models.
  • Egressamber and red lanes route exclusively to in-Kingdom AI providers or are blocked. The router's lane decision is logged with the chosen reason code on every request.
  • force_in_kingdomwhen set, the router rejects any request that cannot be served by an operator-configured in-Kingdom path. The block is explicit and audit-logged — there is no silent fallback.
  • Cryptoper-tenant derived keys for vault material, AES-256-GCM at rest, TLS 1.2/1.3 in transit. Key rotation is operator-controlled; revocation invalidates cached state across replicas.

04Compliance and controls

Designed to support PDPL alignment.

SOC 2 Type II and ISO 27001 audits are planned, not yet certified. We show status honestly, not a badge we haven't earned.

PDPL: designed to support SOC 2 / ISO 27001: planned
Standard
Status
Saudi PDPL

Designed to support PDPL alignment; not a legal determination

Planned: SOC 2 Type II audit

Controls implemented; independent audit not yet completed

Planned: ISO 27001 certification

Controls implemented; certification work not yet completed

Important: DataSitr is designed to help organizations align with PDPL. It does not itself grant compliance.

Compliance & controls → · Trust & evidence →

05Auth and access control

SSO, scoped keys, and a separate regulator path.

Three operator roles, person-bound identity for every authenticated action, and a read-only regulator portal that lives on its own path.

In product
  • SSOOIDC + PKCE against the operator's corporate IdP. Person-bound identity for every authenticated action — required for individual training records and per-user audit attribution.
  • RBACtenant, tenant_admin, super_admin for operator surfaces; the regulator portal is a separate path with its own audit log for regulator sessions.
  • API keysbearer keys with the sv_ prefix and a role scope. Revocation is effective immediately; cached state is invalidated across replicas via Redis.
  • Regulator accessseparate read-only portal, structured reports, scoped signed-package generation with caveat metadata, and an audit log for every regulator session.

Auth-path survivability is covered as dated continuity evidence in section 08; customer-route HA is covered by the 2026-05-04 ACK evidence bundle. Continuity evidence is not auth-plane HA.

06Multi-tenancy isolation

Five layers, enforced independently.

Keys, access, logs, policy, and rate are each isolated per tenant. A misconfiguration on one layer does not fall back to a shared default.

In product
Crypto Per-tenant derived key
Access Tenant-bound API keys
Logs Tenant-tagged audit rows
Policy Per-tenant config
Rate Independent buckets

07Operator and buyer surfaces

Tenant, operator, and regulator each get a separate path.

Three audiences, three surfaces. The regulator portal is a path of its own with its own audit log — not a tab on the operator dashboard.

In product
Tenant OpenAI-compatible entrypoint with privacy routing Existing OpenAI-style clients point to /v1/chat/completions; DataSitr applies detection, lane decision, audit records, and provider policy. Tenant dashboard exposes DPIA, audit summary, evidence pack, and the one-click compliance bundle. API · tenant dashboard
Operator Provision tenants, issue scoped keys, manage quotas + balance Super-admin surface for tenant provisioning, key issuance and revocation, quota settings, and prepaid balance + statements. Cross-tenant data is never visible here — this surface is per-tenant by construction. Operator dashboard · super_admin
Regulator Read-only portal with scoped signed-package generation A separate path, not a tab on the operator dashboard. Cross-tenant inspection lives only here; every regulator session is recorded in its own audit log. Signed packages carry caveat metadata so reviewers see scope and limitations alongside the data. Regulator portal · read-only

08Availability and SLAs

Five dated continuity drills. No contractual SLA yet.

Multi-AZ ACK ingress has verified cutover and a 4-hour soak; failover drills are planned. The dated drills below remain the operational posture behind the product.

5 dated drills Contractual SLA: on the roadmap
  • 2026-03-28 Rolling deploy + isolated restore recovery. Public rolling-deploy continuity and a separate isolated restore-recovery check were both completed and archived.
  • 2026-03-29 Auth survivability. Fresh login + authenticated processing survived an intentional auth-path outage. Continuity evidence — not auth-plane HA, not unplanned node-loss tolerance.
  • 2026-03-29 Restored-state cutover with vault read-back. Public traffic was served from a restored state. The latest rerun confirmed oldest + newest restored vault rows decrypt under the restored environment. Narrow read-back, not full-vault verification.
  • 2026-03-29 Alternate public path under operator control. datasitr.com was served through an alternate public path. The current HA posture is now proven by the 2026-05-04 ACK customer-route bundle; this row remains historical continuity evidence.
  • 2026-04-06 Planned-maintenance continuity on the live public API. The live public API completed planned continuity work successfully on the public path. Most recent dated proof at the time of writing.

Pilot support runs through a direct operator channel while a formal support policy is finalized. As of 2026-05-04, multi-AZ ACK ingress has verified cutover + 4-hour soak evidence; failover drills are planned. Full-vault verification, HSM custody, and unplanned full-region failure tolerance remain separate steps.

09Scaling path

Pilot → Growth → Enterprise.

Same components at every stage. Replicas and state stores scale up; the runtime topology stays identical.

Pilot path live Enterprise: during evaluation
Pilot Saudi-hosted pilot path for initial evaluation Single-VPS Docker Compose path is supported. Fastest route to a working environment with full audit + signed-evidence surfaces. Suitable for due-diligence pilots before a procurement decision. 1–10 tenants
Growth Helm-guarded 2× replicas with shared Postgres + Redis Dated continuity evidence covers public rolling deploy, isolated restore recovery, auth survivability, and restored-state cutover. Alibaba ACK guided Kubernetes is the canonical target; high-availability mode is on by default. 10–50 tenants
Enterprise Multi-instance with alternate public path and restored-state proof As of 2026-05-04, multi-AZ ACK ingress has verified cutover + 4-hour soak evidence; failover drills are planned. Full-vault verification, HSM custody, and unplanned full-region failure tolerance remain separate steps. 50+ tenants

10On the roadmap

What's next — explicit and dated.

The next investments on the enterprise track, written down. None of these block a pilot today.

On the roadmap
  • SOC 2 / ISO 27001controls are implemented in product; independent audit planned, not yet booked.
  • Contractual SLAplanned for production tiers; pilots run on a direct operator channel.
  • Formal support tierspilot support is on a direct operator channel while the support policy is finalized.
  • SSE streamingexists in the routing surface; downstream backend behavior still varies by provider.
  • Off-host backupworkflow is verified on pilot; production rollout in flight.
  • Immutable-evidence retentionfinal retention configuration in flight; does not retroactively cover legacy unsequenced rows.

See it work on your data.

SSO, tenant isolation, a separate regulator portal, and dated continuity proof — honestly bounded, in-Kingdom.

Request a pilot → Read the full trust & evidence pack →