KINDI has not yet been the subject of a third-party certification under the PDPL, the Implementing Regulations, or the NCA controls. The statements on this page describe how the service is designed against the framework, not what an external auditor has attested to. Where an attestation is in hand, this page will say so plainly and cite the attestor.

With that said, the design itself is a substantive answer to the cross-border question the PDPL poses. The sections below state that answer.

The PDPL requires that the processing of personal data be limited to what is necessaryfor the stated purpose. KINDI implements that requirement at the layer below the customer’s application: the personal-data spans in a piece of text are replaced with deterministic placeholders before the text leaves the in-Kingdom boundary. What crosses the border is, by construction, the minimum the customer’s downstream use requires.

In August 2024, SDAIA issued the Transfer Regulation. It permits personal-data transfers outside the Kingdom on stated lawful bases and under stated safeguards, including Saudi standard contractual clauses, binding common rules, and certificates of accreditation. It requires a Transfer Risk Assessment for continuous or large-scale sensitive-data transfers. SDAIA’s adequacy list has not yet been published; in its absence, the prevailing professional position is to apply an explicit safeguard for every transfer.

KINDI’s answer to the transfer question is structural: for a request masked by KINDI, the text that crosses the border carries no personal data. The Transfer Risk Assessment’s “minimum amount necessary” standard is satisfied by the placeholdering itself. The customer is the Controller for that onward transfer; KINDI provides the technical safeguard that makes it tractable.

The PDPL treats health data as sensitive personal data, with stricter consent requirements, enhanced security obligations, and access-control minimisation expected of anyone who handles it. KINDI is designed for medical text; the matching obligations on KINDI’s side are stated in the Data Processing Addendum. The customer remains the Controller and is responsible for the lawful basis and the consent posture appropriate to its own patient or subject population.

Sensitive-data transfers are excluded from the direct-service and scientific-research exemptions in the Transfer Regulation. The design choice to mask in-Kingdom before any cross-border step is the only tractable path to using a foreign-hosted language model on this category of text without an unbounded compliance burden.

Article 4 of the PDPL grants every data subject in the Kingdom the rights of access, rectification, portability, erasure, and complaint. The PDPL Implementing Regulations set a 30-day response window for any request exercising those rights.

For the personal data KINDI holds about account holders, those rights are honoured through the privacy contact at dpo@kindi.me and the procedure stated in the Privacy Notice.

For the personal data KINDI processes on behalf of customers as Controllers, the construction of the service is itself the answer: KINDI retains no copy of the text after the round-trip of a single request. There is no stored record for KINDI to access, correct, or erase. The DPA states how KINDI assists the Controller in honouring its own obligations to the data subject.

Article 24 of the PDPL Implementing Regulations requires the Controller to notify SDAIA within 72 hours of confirmation of a personal-data breach that may cause harm. Unlike the GDPR, the PDPL allows no risk-based exemption from notification.

On KINDI’s side, the Processor notification flows up to the affected Customer within the same 72-hour window so that the Customer can meet its own Controller obligation to SDAIA. The contractual commitment is in § IX of the DPA; the operational running-time of that commitment is part of KINDI’s on-call runbook.

Compliance under the PDPL is allocated between Controller and Processor. KINDI is the Processor of the personal data customers submit to the masking API. The Customer is the Controller, and remains responsible for: choosing the lawful basis, informing data subjects of the use of an automated masking service to the extent its own privacy notice requires, maintaining a Record of Processing Activities under the PDPL Implementing Regulations, appointing a Data Protection Officer where the volume or sensitivity of processing requires one, and responding to data-subject requests within the 30-day window.

KINDI’s matching obligations as Processor are stated in the Data Processing Addendum. The split is deliberately bright: where KINDI’s obligation ends, the Customer’s begins, and the line is drawn at the boundary of KINDI’s storage, which is empty by design.

On the horizon for this page: a third-party attestation against the NCA ECC-2:2024 baseline, a published Transfer Risk Assessment template for customers conducting their own assessment, and an Arabic-language translation of every legal document by a sworn translator. Each is gated on a separate workstream; none is yet complete. The version line at the head of this page will reflect each as it lands.