The Personal Data Protection Law: our full position
NOVA's controls were designed from day one to comply with the Saudi Personal Data Protection Law (PDPL). This page shows how each principle of the law becomes a concrete control inside the platform: no exaggeration, no ambiguity.
Compliance by design, not by patchwork
Let's be precise: we do not claim an official certification from a regulator. What we do say: and lay out here for verification: is that NOVA's controls are designed to comply with the Personal Data Protection Law: in-Kingdom data residency, encryption in transit and at rest, access limited to what flows actually need, and an audit trail that records every processing action.
Roles are explicit in our contracts: our customer is the data controller; NOVA is a processor acting on the customer's instructions: and we provide a data processing agreement (DPA) that defines scope, obligations, and deletion procedures.
For full sovereignty requirements, NOVA runs inside your own private cloud (VPC) or entirely within your data center: including air-gapped environments. See deployment & sovereignty.
From principle to control
A practical summary connecting the law's principles to what the platform actually does: one line per principle.
| Principle | NOVA control |
|---|---|
| Data residency | NOVA Cloud hosts data inside Saudi Arabia by default, with VPC and on-premises options for full sovereignty within your own infrastructure. |
| Encryption | Encryption in transit (TLS 1.3) and at rest (AES-256) on NOVA Cloud: and in private deployments, encryption keys are owned and managed by you. |
| Data minimization | Every flow and agent accesses only the fields it needs; permissions are granted at the action and data level: no open access. |
| Processing records | Every action on data: who executed it, what it did, when and why: is recorded in a complete audit trail you can review at any time. |
| Data subject rights | Platform tooling helps our customer: as controller: locate a data subject's records and act on them: access, correction, and deletion. |
| Data processing agreement | We provide a data processing agreement (DPA) covering roles, scope, security obligations and deletion procedures, signed as part of the contract. |
The questions every review asks
On NOVA Cloud, in-Kingdom data residency is the default: the infrastructure runs in Saudi data centers. For tighter control, deploy NOVA inside your own private cloud (VPC) or fully on-premises in your data center, including completely air-gapped environments.
You do. Our customer is the data controller and owner; NOVA is a processor acting on the customer's instructions within the contract. The data processing agreement defines the processing scope precisely: operating your service as you instruct: nothing more.
Yes. We provide customers with a data processing agreement covering roles (controller/processor), processing scope, security obligations, and deletion procedures at the end of the contractual relationship. Request it during contracting or from the sales team.
When your subscription ends or on your request, your workspace data is deleted according to the procedures and timelines documented in the data processing agreement. In private deployments (VPC or on-prem) the data lives inside your infrastructure to begin with: deletion stays directly in your hands.
Compliance questions? Clear answers.
Book a demo and bring your compliance team to the same session: or start free and inspect the controls yourself.