1.Roles under PDPL

In a typical deployment, the customer acts as the data controller and DataSitr acts as a processor for the service workflow. Requests are handled on Saudi-hosted infrastructure. The live pilot stores limited operational state, including encrypted token mappings and compliance metadata, on Saudi-hosted operational systems.

2.Data we collect directly (DataSitr as controller)

Section 1 covers data we process on a customer's behalf, where the customer is the controller. Separately, DataSitr is the controller for the limited personal data we collect directly — for example, when you contact us or request an evaluation.

Controller: Data Sitr Establishment (Jeddah, Kingdom of Saudi Arabia). Data Protection Officer: Sulaiman Husam Abonami, DataSitr's registered DPO (registration 3260005651). Contact: dpo@datasitr.com.

3.The Three-Lane Data Geometry

Your data flow is automatically segmented:

4.Cryptographic Vault and Retention

Identified PII is stored as AES-256-GCM encrypted token mappings for rehydration during the request workflow. On the live pilot, shared operational state runs on Saudi-hosted operational systems. Token mappings are time-limited, and compliance metadata may be retained to support audit and customer operations.

5.Data Subject Rights

We provide APIs that help the Data Controller carry out supported data-subject workflows, including export, deletion, and rectification of vaulted subject data and related records. Availability of any specific workflow depends on the deployed configuration and the customer's own legal process.

6.Last updated

This page was last updated on 2026-05-14.