Regulatory compliance

Built on Saudi law

Every architectural decision in TraceVault is evaluated against Saudi regulatory frameworks — compliance is not an add-on, it's the foundation of the design.

Regulatory frameworks

Comprehensive regulatory coverage

M/43

Saudi Evidence Law

Articles 67–69: digital evidence is court-admissible provided integrity, source, timestamp, and custody chain are proven.

PDPL

Personal Data Protection Law

Article 29 and its Executive Regulations: protecting residents' personal data, with data remaining in-Kingdom.

ECC

NCA — Essential Cybersecurity Controls

ECC-1:2018 and ECC-2:2024: governance, defense, resilience, and data security across five domains.

SAMA

Central Bank Cyber Security Framework

SAMA CSF for banking and financial-sector clients, including operations and technology.

MOJ

Ministry of Justice

MOJ digital evidence platform recognition pathway via legal counsel.

TLS

Cryptographic standards

AES-256-GCM at rest, TLS 1.3 in transit, RFC 3161 timestamping, and a crypto-agility framework.

Digital evidence is admissible in Saudi courts provided its integrity is established and its source verified.

Saudi Evidence Law · Royal Decree M/43 · Articles 67–69 · 2022
Data sovereignty

100% in-Kingdom — no exceptions

All components — storage, encryption keys, backups, monitoring logs, and development copies — reside in the me-central-1 (Riyadh) region. A region-lock policy denies any operation outside it, and disaster-recovery backups stay in the same region across a different availability zone.

  • me-central-1 (Riyadh) region via STC
  • Region-lock denies all external access
  • Encryption keys exist in-Kingdom only
  • Disaster recovery within the same region

Independent attestations (NCA compliance audit, penetration testing, MOJ recognition) require accredited external parties and cannot be self-attested.