TL;DR

A non-legal checklist for reviewing Saudi PDPL, NCA references, hosting, transfers, subprocessors, contracts, and security controls for customer communications.

Start by determining which requirements apply

Saudi organizations can face different personal-data, cybersecurity, sector, telecom, contractual, and transfer requirements. Applicability depends on the entity, data, purpose, systems, and sector. Use this as a procurement checklist, review current official publications, and obtain qualified legal and security advice.

1. The Personal Data Protection Law (PDPL)

Saudi PDPL governs the processing of personal data, including customer names, phone numbers, message content, and call recordings. Requirements can include a valid legal basis, clear notices, purpose limitation, data minimization, security, retention controls, rights handling, and safeguards for cross-border transfers. It does not create one universal rule that every workload must always remain inside Saudi Arabia; confirm the rules that apply to your organization and sector with qualified counsel.

2. NCA Essential Cybersecurity Controls (ECC)

The National Cybersecurity Authority publishes controls such as the Essential Cybersecurity Controls. Applicability varies by entity, sector, contract, and regulatory scope. Security buyers can still use the controls as a reference when reviewing access management, encryption, logging, vulnerability management, backup, incident response, and supplier risk.

3. Document hosting, subprocessors, and data flows

A local vendor does not automatically make a deployment compliant. Map where each data type enters, is stored, is backed up, and is sent by connected channels or AI providers. Ask SkyLight Chat to document the configuration available for your plan and capture residency, deletion, access, and incident commitments in the contract.

4. Security Audit Checklist for Saudi Enterprise IT Buyers

  • Official references: review the current SDAIA and National Cybersecurity Authority publications, then confirm applicability with qualified counsel.
  • Residency: Confirm the selected region for files, transcripts, recordings, backups, and subprocessors, and document whether it meets your requirements.
  • Access Control: Ensure granular role-based permissions are enabled for your customer support staff.
  • Webhook verification: Confirm the documented authentication or signing method, then test replay, failure, rotation, and secret-storage behavior.
  • Session Auditing: Maintain logs of administrative logins, client exports, and database queries.