Skip to main content
Saudi HRSaudi HR
Get Started
Security at Saudi HR

Security and trust at Saudi HR

We build Saudi HR with the security expectations of enterprise HR teams in the Kingdom in mind. This page is our running, honest account of what is shipped today and what is on the roadmap.

Request our Trust PackTalk to our team
  • SOC 2 Type II
    In progress
    Readiness Q3 2026
  • ISO 27001:2022
    In progress
    Kickoff Q4 2026
  • ISO 42001:2023
    Roadmap
    Target H1 2027
  • KSA PDPL
    Aligned today
    Saudi DPO Q3 2026
  • GDPR DPA
    Available on request
    Signed at contract

Roadmap items carry a concrete target date. We do not claim certifications we have not earned.

02 Data and subprocessors

Data integrations and subprocessors

Saudi HR uses a short list of established cloud subprocessors to deliver the product. Every vendor below is named in the Data Processing Addendum and we commit to a 30-day notice before adding a new subprocessor.

VendorWhat it touchesRegionAttestation
VercelWeb hosting, edge runtime, file uploads (Vercel Blob)iad1 (US-East)
SOC 2 + ISO 27001
Neon (Postgres)Primary Postgres: users, chats, documents, audit eventsaws-eu-central-1 (Frankfurt)
SOC 2 Type II
PineconeVector embeddings for the public HR knowledge baseaws-eu-west-1
SOC 2 + ISO 27001
Google AI Studio (Gemini)Chat completions for Saudi HR responsesGlobal edge
DPA in place
ResendTransactional email: verification, password reset, magic linkUS
SOC 2 Type II
Polar.shSubscription billing and invoice issuanceUS
DPA in place

No training on your data

Customer prompts, chat history, and uploaded documents are never used to train foundation models. Our model providers operate under a zero data retention configuration for production traffic.

We notify customers at least 30 days before any new subprocessor goes live. The current list is the source of truth for the signed DPA.

03 Organization and IT

Organization and IT controls

Admin controls that customers expect on day one and the enterprise controls landing through 2026.

  • SAML SSO

    Okta, Azure AD, Google Workspace, OneLogin. Just-in-time provisioning.

    Coming Q3 2026

  • SCIM 2.0 provisioning

    Directory sync for user lifecycle on the Enterprise plan.

    Enterprise, coming Q4 2026

  • Workspace audit log

    Org, project, agent, member, and billing events with timestamps and actor IDs.

    Live

  • Multi-factor authentication

    TOTP and WebAuthn passkeys layered on top of password and Google login.

    Coming Q3 2026

  • Role-based access control

    Viewer, member, admin, owner roles enforced server-side at every chokepoint.

    Live
04 Audit

Audit

What customers can verify after the fact, when, and how long we keep the trail.

Live event coverage

  • Org created, renamed, deleted, transferred
  • Project created, renamed, archived, restored, deleted
  • Agent created, updated, duplicated, skills changed, deleted
  • Member added, removed, role changed, invite sent and accepted
  • Plan changed, billing updated, chat shared org-wide

Coverage gaps on the roadmap

The following event kinds are not yet captured. They are tracked in our backlog and will land in the next audit-log wave.

  • Login success and failure events
  • Chat export and share-link creation
  • Document and file downloads

Retention by plan

  • Team plan: 90-day audit retention with CSV export.
  • Enterprise plan: 365-day retention with webhook delivery for SIEM ingestion.
05 AI

AI

How we use model providers, what they retain, and our AI management roadmap.

No training on customer data

We operate under zero data retention configurations with our model providers. Customer prompts, model outputs, and uploaded documents are never used to train foundation models or shared back into general training sets.

Model providers

Saudi HR routes inference through the Vercel AI Gateway, which proxies to the providers below. Each provider operates a published enterprise privacy posture.

  • Google Vertex AI (Gemini)
  • Anthropic (Claude)
  • OpenAI (GPT-4o family)
  • DeepSeek
  • xAI (Grok)

ISO 42001:2023 AI management system

The emerging international standard for responsible AI management. Saudi HR is targeting first-cycle certification in H1 2027.

Roadmap H1 2027
06 Cybersecurity

Cybersecurity

The technical and operational controls that keep your data safe in flight and at rest.

Encryption at rest

AES-256 across Postgres, file storage, and vector embeddings.

Encryption in transit

TLS 1.2 or higher on every endpoint. HTTPS-only.

Penetration testing

Annual third-party test. Summary report shared under NDA on request.

Bug bounty

A private bug bounty program is on the roadmap.

Roadmap Q4 2026

Vulnerability disclosure

Found something that looks like a security issue? We respond within one business day and credit reporters in our public disclosure log.

security@saudihr.ai

Public status page

A live status page at status.saudihr.ai with uptime history and incident timelines.

Roadmap Q3 2026
07 Compliance

Compliance

Each framework with a concrete target date. We tell you where we stand and where we are heading.

  • SOC 2 Type II

    Readiness assessment Q3 2026, audit window opens Q4 2026, Type II report H1 2027. Bridge letter offered for procurement teams that need cover during the audit window.

    Readiness Q3 2026

  • ISO 27001:2022

    Kickoff Q4 2026 with a recognised Saudi auditor. Certification target H2 2027. Bundled with ISO 27701 for the PDPL privacy story.

    Kickoff Q4 2026

  • KSA PDPL

    Aligned with the Saudi Personal Data Protection Law today. SDAIA Standard Contractual Clauses available for cross-border transfer. Saudi-resident DPO appointment targeted Q3 2026.

    Aligned today

  • GDPR DPA

    Standard Data Processing Addendum on request, aligned with GDPR Article 28 and SDAIA Controller-to-Processor SCC template.

    Request DPA
    On request

Data residency

  • Today: Postgres in Frankfurt (Neon, aws-eu-central-1) and vector embeddings in the EU. File storage and inference proxy on Vercel's global edge.
  • Enterprise: Custom DPA with KSA jurisdiction and SDAIA Controller-to-Processor SCCs annexed. Available at contract signing.
  • Roadmap: Vertex AI inference routed to Dammam (me-central2) in Q3 2026 and AWS me-central-1 Postgres lane shortly after. See our public KSA residency PRD for the sequencing.

Ready to dig deeper?

Enterprise procurement teams get our Trust Pack on request: a SOC 2 readiness summary, our DPA, the subprocessor register, and a recent pen-test summary under NDA.

Request Trust PackRequest DPA

All compliance items above carry a target date. We will tell you the truth about what is in flight, not what is wished.