Compliance Center
Skyline Cloud is <strong>built to align with</strong> the Kingdom of Saudi Arabia's cybersecurity and data-protection frameworks. Our alignment is verified by an <strong>internal automated compliance check</strong> that maps our implemented controls to PDPL, NCA ECC, NCA CCC, CMA, and SAMA requirements. Please note that <em>alignment is not the same as a formal certification</em>: certification or accreditation is assessed and granted by the respective regulatory authority, not by Skyline Cloud. This page describes, honestly and in plain terms, the concrete controls we have verified internally and how they map to each framework. For any compliance request you may contact us at <a href="mailto:dpo@alskyline.com">dpo@alskyline.com</a> or <a href="mailto:legal@alskyline.com">legal@alskyline.com</a>.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
How we verify alignment
We do not ask you to take our word for it. Skyline Cloud runs an automated internal compliance check that continuously maps the technical and organizational controls we operate to the requirements of the Saudi frameworks listed below. The check is a self-assessment tool that helps us catch drift early; it is not an independent audit and does not produce a certification.
Throughout this page we use the words “aligned with,” “built to align with,” and “designed to meet.” We deliberately avoid the words “certified,” “compliant,” “audited,” or “guaranteed,” because formal certification and accreditation are assessed and granted only by the relevant authority (for example SDAIA, the NCA, the CMA, or SAMA).
- Controls are mapped to PDPL, NCA ECC, NCA CCC, CMA, and SAMA requirements.
- The check runs internally and is used for continuous self-assessment, not as a substitute for regulatory assessment.
- Certification status is determined by the authority, not by Skyline Cloud.
PDPL — Personal Data Protection Law (SDAIA)
The Personal Data Protection Law (PDPL), overseen by the Saudi Data & AI Authority (SDAIA), governs how personal data of individuals in the Kingdom is collected, processed, stored, and transferred. Skyline Cloud is built to align with PDPL as a data controller for our own account data and as a processor of customer (tenant) personal data.
- All customer data and backups are hosted in-Kingdom (Riyadh) only, with no off-shore backup provider, supporting data-residency expectations.
- Per-tenant data isolation is enforced and verified by automated tests so one customer cannot access another's data.
- Field-level application encryption for sensitive personal data, in addition to AES-256 encryption at rest at the infrastructure layer.
- Defined data retention with encrypted daily in-Kingdom backups kept for 30 days and database point-in-time recovery.
- Support for data-subject rights (access, correction, deletion) — see our Your Data Rights page.
- Personal-data breach handling: we notify SDAIA within 72 hours of becoming aware where harm is possible, and affected data subjects without undue delay.
- Consent and lawful-basis tracking documented in our Consent & Lawful Basis notice.
NCA ECC-2:2024 / ECC-1:2018 — Essential Cybersecurity Controls
The National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) set the baseline cybersecurity requirements for organizations operating in the Kingdom, covering governance, defense, resilience, and identity and access management. Skyline Cloud is designed to meet the relevant ECC domains.
- Identity & access management: mandatory two-factor authentication (2FA) for all administrators, including tenant administrators.
- Hardened access: administrative server access is key-based only; password and root-password login are disabled.
- Cryptography: TLS 1.2/1.3 only on public endpoints, AES-256 encryption at rest, plus field-level application encryption.
- Logging & monitoring: centralized authentication and administrative audit logging.
- Email and content protection: anti-spam and anti-virus filtering with SPF, DKIM, and DMARC enforcement.
- Resilience: encrypted daily in-Kingdom backups with 30-day retention and database point-in-time recovery.
- Operational safeguards: rate limiting on public endpoints and destructive database commands blocked in production.
NCA CCC-1:2020 — Cloud Cybersecurity Controls
The NCA Cloud Cybersecurity Controls (CCC-1:2020) extend the ECC with requirements specific to cloud service providers and their tenants, including data location, tenant separation, and shared-responsibility expectations. As a Saudi cloud provider, Skyline Cloud is built to align with the cloud-service-provider controls relevant to our offering.
- In-Kingdom hosting: all production data and backups reside in Riyadh, Kingdom of Saudi Arabia, with no off-shore backup provider.
- Tenant separation: per-tenant data isolation enforced and verified by automated tests.
- Key protection: SSL private keys are generated on a hardened node isolated from the mail and portal systems.
- Backup and recovery: encrypted daily in-Kingdom backups with 30-day retention and database point-in-time recovery.
- Administrative controls: mandatory 2FA for administrators and centralized audit logging across the platform.
- Transparency on shared responsibility: roles between Skyline Cloud and the customer are described in our Data Processing Agreement and Sub-processors page.
CMA Cybersecurity Guidelines (capital-market clients)
The Capital Market Authority (CMA) Cybersecurity Guidelines set expectations for entities operating in the Saudi capital market and their technology providers, covering data protection, access control, and incident handling. For capital-market clients, Skyline Cloud is built to align with the relevant guideline areas; the client remains responsible for its own CMA obligations.
- Data residency: customer data and backups kept in-Kingdom (Riyadh) only.
- Strong access control: mandatory 2FA for all administrators and key-only server access.
- Encryption: TLS 1.2/1.3 in transit, AES-256 at rest, and field-level application encryption.
- Auditability: centralized authentication and administrative audit logging.
- Incident response: documented breach handling and notification process — see our Personal Data Breach Notification policy.
SAMA Cyber Security Framework (Saudi-Central-Bank-regulated clients)
The Saudi Central Bank (SAMA) Cyber Security Framework sets cybersecurity requirements for financial institutions regulated by SAMA and their service providers, covering governance, risk, resilience, and third-party management. For SAMA-regulated clients, Skyline Cloud is designed to meet the relevant framework domains; the regulated client retains accountability for its own SAMA compliance.
- In-Kingdom data and backups in Riyadh, with no off-shore backup provider.
- Layered encryption: TLS 1.2/1.3 on public endpoints, AES-256 at rest, and field-level application encryption.
- Privileged access protection: mandatory 2FA for administrators, key-only access, and root-password login disabled.
- Key isolation: SSL private keys generated on a hardened node separated from mail and portal systems.
- Resilience: encrypted daily backups with 30-day retention and database point-in-time recovery.
- Monitoring and change safety: centralized audit logging and destructive database commands blocked in production.
- Third-party transparency: our Sub-processors list and DPA support third-party risk reviews.
Document index
The following public documents describe our privacy, security, and contractual commitments in detail. For questions about any of them, contact privacy@alskyline.com, security@alskyline.com, or legal@alskyline.com.
- Privacy Notice — how we collect, use, and protect personal data.
- Data Processing Agreement (DPA) — our processing terms when we act on your instructions.
- Sub-processors — the third parties that may process data on our behalf.
- Your Data Rights — how to exercise access, correction, and deletion rights.
- Data Retention — how long we keep data and how we delete it.
- Personal Data Breach Notification — how we detect, handle, and notify breaches.
- Consent & Lawful Basis — the lawful grounds on which we process data.
- Trust & Security — an overview of our security posture and controls.
- Acceptable Use — the rules for using our services responsibly.
- Cookie Policy — how we use cookies and similar technologies.
- Terms — the terms governing use of Skyline Cloud.
- SLA — our service-level commitments.
Governing law and contact
Skyline Cloud is operated by Skyline Solutions, Riyadh, Kingdom of Saudi Arabia. This Compliance Center and all related documents are governed by the laws of the Kingdom of Saudi Arabia, and any dispute is subject to the courts of Riyadh.
For compliance, data-protection, or security matters, contact our Data Protection Officer at dpo@alskyline.com, our security team at security@alskyline.com, or our legal team at legal@alskyline.com. General privacy enquiries: privacy@alskyline.com. Our services are available at cloud.alskyline.com.