Use any AI model. Raw Saudi personal data stays in Saudi. Compliance built in. This page gives your team the artifacts to verify that claim in 60 seconds.
Pick your path
You should not need to read the whole site first. Choose the closest role, open the short packet, and bring that packet to a 30-minute call.
DPO and legal teams: PDPL role split, Article 29 posture, subject rights, DPA/SCC, and DPIA fit.
Security I'm evaluating for security.Security leads: signed evidence, isolation, encryption, subprocessors, known constraints, and benchmark artifacts.
Procurement I'm evaluating for procurement.Business buyers: what DataSitr does, which tier to discuss, who needs to review, and what is not yet claimed.
Five fast checks for a procurement or diligence team, plus security reviewers. Open the files, run the commands, and skip the sales summary.
curl -s https://datasitr.com/resources/control_matrix.json | jq '.summary'python3 scripts/verify_compliance_reviewer_bundle.py <bundle-path> --trusted-public-key <trusted-key.pem>python3 scripts/validate_pdpl_citations.pyThe six questions enterprise reviewers ask first, with the artifact or live surface that answers each one.
DataSitr uses automatic privacy routing to catch and tokenize PII before external AI calls. Start with the public matrix summary and trust page, then request the signed reviewer bundle for control-level inspection.
Vault encryption uses AES-256-GCM with per-tenant key derivation. The current live baseline continues to bootstrap its startup master key through Alibaba KMS on ACK.
The live pilot includes subject-rights tooling, consent withdrawal, subject export PDF, and related audit surfaces. The public compliance page summarizes the right/destruction split, and the signed reviewer bundle carries the control-level mapping.
Yes, within the published proof boundary: use the public control-matrix summary, the compliance reviewer pack, the benchmark artifacts, and the signed reviewer-bundle verification flow.
The live pilot includes breach-register management alongside related compliance surfaces. Reviewers should inspect the compliance page, the control matrix, and the regulatory-audit references rather than relying on generic marketing claims.
One centralized list on the compliance page covers the items buyers ask about first — no external pen-test completed, no completed provider SCC/DPA/TIA package, no HSM-backed custody, no regulator-awarded status, no full-vault verification, and no unplanned full-region failure tolerance claim. Procurement, security, and legal reviewers all see the same explicit constraints from one place.
Two commands, five deep links. If the numbers or wording matter to your team, validate them from the published JSON and reviewer pack — not from screenshots or forwarded notes.
Four product surfaces your team can inspect during a pilot — operating today, not on a roadmap slide.
One published list, one page, one source of truth. Procurement, security, and legal reviewers all read the same constraints from /compliance — by design.
Centralizing every constraint on a single public page is itself an architectural choice. It means buyers don't have to chase footnotes across the site, every reviewer sees the same wording, and we can't accidentally claim something on one page we've ruled out on another.
The current published constraints include: external penetration test (not yet completed), provider SCC/DPA/TIA package (not yet completed), HSM-backed key custody (not claimed), regulator-awarded status (not awarded), full-vault verification (separate), and unplanned full-region failure tolerance (not claimed).
Trial intake
The trial request flow is scaffolded for a future self-serve window: approved prospects receive a scoped 14-day green-lane API key, expiry is enforced automatically, and live account issuance stays operator-approved. Until the self-serve flag is activated, request access through the founder/DPO and include your tenant name plus intended use case.