Raw text never crosses the Kingdom's border. The masked text does, and only the masked text. The frontier model sees placeholders; your client restores the originals locally.

If KINDI were compelled to disclose what it holds on a given request, the disclosable record is the list below. The request text, the response text, and the mapping are not on it.

Retained, per request

timestamp · tokens billed · status code · API key identifier (not the secret) · originating account

Retained, per account

identity for billing and support · ledger of top-ups and debits · receipts and tax invoices

Not retained, ever

request text · response text · placeholder-to-original mapping · the encrypted envelope, beyond the round-trip

Retention period

operational metadata, 18 months · billing records, as required by KSA tax law · audit logs, 24 months

Your API key is the root of trust. KINDI can produce an envelope; it cannot read one. Only a holder of the API key can.

Issuance

every response that contains masked content carries an encrypted envelope; the envelope is sealed against a key derived from your API key

Custody

KINDI does not store the API key or any key derived from it; the secret is shown once, at the moment of creation, and is held only by you

Revocation

revoking an API key invalidates every outstanding envelope by design; previously returned envelopes become unreadable

Override

there is none; an operator cannot decrypt on your behalf

Compute, primary storage, backups, and operational logs all run inside the Kingdom of Saudi Arabia. Data does not transit a foreign region in the course of normal operation, save for the masked text your client sends to the frontier model.

PDPLPersonal Data Protection Law (KSA)

Aware by construction.

NCA ECCEssential Cybersecurity Controls

Designed to align.

NCA CCCCloud Cybersecurity Controls

Designed to align.

NCA DCCData Cybersecurity Controls

Designed to align.

A short catalogue of access, by role. The principle is simple: the fewer hands that touch your text, the better; in practice, none of KINDI's do.

You

full read and write on your account, your keys, your balance, and your usage history; sole holder of the secret used to decrypt envelopes

KINDI operators

aggregate operational metrics (latency, error rate, throughput) · your account identity for billing and support · no access to request text or response text, by policy and by construction

Auditors, on request

admin-action audit trail · access reviews · incident records; never the body of customer requests

Logging policy

production logs exclude request text, response text, email addresses, and bearer tokens at INFO level or above; only identifiers travel up the log pipeline

Third parties that participate in operating the service, the data they receive, and where they operate. Changes to this list are published before they take effect.

KINDI's posture on a confirmed material incident affecting customer data or service availability.

Customer notification

within 72 hours of confirmation, to the registered account email, including known scope and the steps in motion

Regulator notification

within the timelines required by PDPL and any applicable NCA guidance; coordinated with counsel

Status page

continuously updated at status.kindi.me; subscribable for email or webhook notice

Responsible disclosure

security researchers may write to security@kindi.me; we acknowledge within one business day

For procurement reviews, due-diligence questionnaires, or anything this page leaves unanswered.

Data Protection

dpo@kindi.me

Security

security@kindi.me

General

hello@kindi.me · reply within one business day, Sunday through Thursday