Trust at Rasid
This page is for procurement and security teams doing diligence on Rasid. Every claim is specific and dated. Where a document is owner-action gated (e.g. the lawyer-reviewed PDPL disclosure), the page says so explicitly — we don't fluff trust gaps.
PDPL alignment (Saudi data-protection law)
Rasid is a Saudi-resident operation handling personal data of Saudi enterprises. PDPL is the operative law, not a Western proxy. Specifics:
Lawful basis
Processing relies on (a) explicit consent for demo-request and marketing contact, and (b) contract for ongoing dark-web monitoring service. Customers receive a Data Processing Agreement (DPA) before service activation.
Data residency
Hosting is PDPL-aligned with full cross-border transfer disclosure provided in every customer DPA (under NDA before contract signing). KSA data residency is on our roadmap, triggered by either a regulated-sector customer signing or three paying customers reaching contract.
Retention
Customer-tenant data: retained for the contract duration + 90 days for export/dispute window, then irreversibly deleted. Marketing leads (demo-request): retained 24 months from last contact, then deleted. Logs: 30 days unless required for a security investigation.
Data subject rights
DSAR (export + erasure) primitives are in the product from Phase 1. Requests go to [email protected] and resolve within 30 days, the PDPL ceiling. Disputes escalate via the Saudi Data and AI Authority (SDAIA).
Full disclosure document
A Saudi-lawyer-reviewed PDPL disclosure document is in flight. Available on request via [email protected] once finalized; tracked publicly at issue #295.
Sub-processors
We don't subcontract any monitoring or detection work — that's all in-house. Where we use external vendors (compute, email delivery, edge networking), the full list is in our Data Processing Agreement (DPA).
We disclose all sub-processors in our DPA, provided to prospective customers under NDA before contract signing. Request the DPA at [email protected]. Sub-processor changes are announced to active customers ≥ 30 days before activation via the same channel.
NCA ECC roadmap (cybersecurity controls — Saudi)
NCA Essential Cybersecurity Controls v2 (ECC-2) are the Saudi authority's mandatory cybersecurity baseline. Rasid's roadmap to formal self-assessment + attestation:
Phase 1 (now)
ECC-2 sub-controls implemented as in-product baseline: §1 governance (ADR + sign-off process), §2 asset management (TPRM intake per vendor — #1493), §3 cybersecurity workforce (training records being tracked), §4-1 third-party security (DPA-gated sub-processor disclosure).
Phase 2 (post-Phase-1)
Formal self-assessment against the full ECC-2 matrix. Gap-remediation prioritized by sub-control criticality. Target: complete self-assessment + remediation backlog before second paying customer.
Phase 3 (post-Jeddah migration)
Independent third-party attestation against ECC-2. Target: ships concurrent with the in-Kingdom residency milestone, so customers can move to local hosting and attested compliance in a single quarter.
ECC-2 self-assessment summary (sub-control status, last review date) is available to active customers + qualified prospects under NDA via [email protected].
Security contact + breach notification
[email protected] for security findings, responsible disclosure, customer security questionnaires, sub-processor objections, and PDPL-related queries. Watched during KSA business hours; out-of-hours reach via the in-product on-call rotation (Phase 2+). — [email protected]
PGP
PGP key for security@ is in generation; will be published at https://rasid.cc/.well-known/openpgp/security.asc once minted. Until then, prefer the Forgejo security-advisory mechanism for sensitive findings.
Breach notification SLA
If we suffer a breach involving tenant data, we notify affected customers within 72 hours of confirmation per PDPL Art. 24. Notification includes: data categories affected, severity assessment, mitigation timeline, and contact for further questions.
Disclosure cadence
This page is reviewed quarterly + on every material change (new sub-processor, jurisdiction change, breach). Sub-processor changes go out by email ≥ 30 days before activation. The latest review date is shown in the page footer below.
Last reviewed: 2026-05-18
Want this on a procurement template?
If your procurement workflow needs Rasid to fill a vendor-security questionnaire or sign your DPA template, send it to [email protected]. We reply within 1 business day, KSA hours.