DataSitr — Enterprise

Enterprise auth Standards-based SSO, role-scoped access, and immediate key revocation are already in product

This is an operating surface, not a slide-deck promise.

Procurement path One-click compliance bundle, scoped signed-package generation, and buyer-visible trust notes reduce diligence friction

The system is structured for review, not just for runtime traffic.

Regulator posture A separate read-only regulator portal is available during evaluation, with structured review materials and scoped signed-package generation

That separation is intentional and easier to defend during government review.

Auth and access control

SSO, three operator roles, scoped keys, and a read-only regulator portal.

SSO — OIDC + PKCE against the operator's corporate IdP. Person-bound identity for every authenticated action — required for individual training records and per-user audit attribution.
RBAC — tenant, tenant_admin, super_admin for operator surfaces; the regulator portal is a separate path with its own audit log for regulator sessions.
API keys — bearer keys with the sv_ prefix and a role scope. Revocation is effective immediately; cached state is invalidated across replicas via Redis.
Regulator access — separate read-only portal, structured reports, scoped signed-package generation with caveat metadata, and an audit log for every regulator session.
Drill · 2026-03-29 · auth survivability — fresh login + authenticated processing survived an intentional auth-path outage on the public service. Customer-route HA is now covered by the 2026-05-04 ACK evidence bundle.
Drill · 2026-03-29 · restored-state cutover — oldest and newest restored vault rows decrypt under the restored environment. Narrow read-back — not full-vault verification or automatic data-tier primary failover.

Multi-tenancy isolation

Five layers — keys, access, logs, policy, rate — enforced independently. A misconfiguration on one layer does not fall back to a shared default.

Crypto Per-tenant derived key

Access Tenant-bound API keys

Logs Tenant-tagged audit rows

Policy Per-tenant config

Rate Independent buckets

Compliance and controls

Designed to support PDPL alignment. SOC 2 Type II + ISO 27001 audits planned, not yet certified.

Standard

Status

Saudi PDPL

Designed to support PDPL alignment; not a legal determination

Planned: SOC 2 Type II audit

Controls implemented; independent audit not yet completed

Planned: ISO 27001 certification

Controls implemented; certification work not yet completed

Important: DataSitr is designed to help organizations align with PDPL. It does not itself grant compliance.

Data residency and privacy

Raw personal data stays in Saudi by default; only tokenized green-route text can leave the Kingdom.

Residency — for Saudi-hosted and Saudi customer-hosted deployments, all stateful surfaces — vault rows, compliance records, audit logs, and API keys — remain stored in Saudi Arabia. The runtime topology is identical across hosted-pilot, customer-cloud, and on-premises models.
Egress — amber and red lanes route exclusively to in-Kingdom AI providers or are blocked. The router's lane decision is logged with the chosen reason code on every request.
force_in_kingdom — when set, the router rejects any request that cannot be served by an operator-configured in-Kingdom path. The block is explicit and audit-logged — there is no silent fallback.
Crypto — per-tenant derived keys for vault material, AES-256-GCM at rest, TLS 1.2/1.3 in transit. Key rotation is operator-controlled; revocation invalidates cached state across replicas.

Operator and buyer surfaces

Tenant, operator, and regulator users each get a separate path. The regulator portal has its own audit log.

Tenant OpenAI-compatible entrypoint with privacy routing Existing OpenAI-style clients point to /v1/chat/completions; DataSitr applies detection, lane decision, audit records, and provider policy. Tenant dashboard exposes DPIA, audit summary, evidence pack, and the one-click compliance bundle. API · tenant dashboard

Operator Provision tenants, issue scoped keys, manage quotas + balance Super-admin surface for tenant provisioning, key issuance and revocation, quota settings, and prepaid balance + statements. Cross-tenant data is never visible here — this surface is per-tenant by construction. Operator dashboard · super_admin

Regulator Read-only portal with scoped signed-package generation A separate path, not a tab on the operator dashboard. Cross-tenant inspection lives only here; every regulator session is recorded in its own audit log. Signed packages carry caveat metadata so reviewers see scope and limitations alongside the data. Regulator portal · read-only

Availability and SLAs

Multi-AZ ACK ingress with verified cutover + 4-hour soak; failover drills planned. Five dated continuity drills remain behind the operational posture. No contractual SLA yet.

2026-03-28 Rolling deploy + isolated restore recovery. Public rolling-deploy continuity and a separate isolated restore-recovery check were both completed and archived.
2026-03-29 Auth survivability. Fresh login + authenticated processing survived an intentional auth-path outage. Continuity evidence — not auth-plane HA, not unplanned node-loss tolerance.
2026-03-29 Restored-state cutover with vault read-back. Public traffic was served from a restored state. The latest rerun confirmed oldest + newest restored vault rows decrypt under the restored environment. Narrow read-back, not full-vault verification.
2026-03-29 Alternate public path under operator control. datasitr.com was served through an alternate public path. The current HA posture is now proven by the 2026-05-04 ACK customer-route bundle; this row remains historical continuity evidence.
2026-04-06 Planned-maintenance continuity on the live public API. The live public API completed planned continuity work successfully on the public path. Most recent dated proof at the time of writing.

Pilot support runs through a direct operator channel while a formal support policy is finalized. As of 2026-05-04, multi-AZ ACK ingress has verified cutover + 4-hour soak evidence; failover drills are planned. Full-vault verification, HSM custody, and unplanned full-region failure tolerance remain separate steps.

Scaling path

Pilot → Growth → Enterprise. Same components; replicas + state stores scale up, runtime topology stays identical.

Pilot Saudi-hosted pilot path for initial evaluation Single-VPS Docker Compose path is supported. Fastest route to a working environment with full audit + signed-evidence surfaces. Suitable for due-diligence pilots before a procurement decision. 1–10 tenants

Growth Helm-guarded 2× replicas with shared Postgres + Redis Dated continuity evidence covers public rolling deploy, isolated restore recovery, auth survivability, and restored-state cutover. Alibaba ACK guided Kubernetes is the canonical target; high-availability mode is on by default. 10–50 tenants

Enterprise Multi-instance with alternate public path and restored-state proof As of 2026-05-04, multi-AZ ACK ingress has verified cutover + 4-hour soak evidence; failover drills are planned. Full-vault verification, HSM custody, and unplanned full-region failure tolerance remain separate steps. 50+ tenants

On the roadmap

Next investments on the enterprise track — explicit and dated. None of these block a pilot today.

SOC 2 / ISO 27001 — controls are implemented in product; independent audit planned, not yet booked.
Contractual SLA — planned for production tiers; pilots run on a direct operator channel.
Formal support tiers — pilot support is on a direct operator channel while the support policy is finalized.
SSE streaming — exists in the routing surface; downstream backend behavior still varies by provider.
Off-host backup — workflow is verified on pilot; production rollout in flight.
Immutable-evidence retention — final retention configuration in flight; does not retroactively cover legacy unsequenced rows.

Start evaluating · Trust & Evidence

See it work on your data.

Evaluate →