Personal Data Breach Notification
This page explains how <strong>Skyline Cloud</strong>, operated by <strong>Skyline Solutions</strong> in Riyadh, Kingdom of Saudi Arabia, detects, manages and reports personal data breaches. Our incident process is <em>designed to align with</em> the breach-notification expectations of the Saudi Personal Data Protection Law (PDPL) and its regulator, the Saudi Data & AI Authority (SDAIA), and is <em>built to align with</em> the immediate-notification expectations of the National Cybersecurity Authority (NCA ECC), the Capital Market Authority (CMA) and the Saudi Central Bank (SAMA) for our regulated clients. Formal certification against any of these frameworks is assessed by the respective authority. You can reach our team at <a href="mailto:dpo@alskyline.com">dpo@alskyline.com</a>, <a href="mailto:privacy@alskyline.com">privacy@alskyline.com</a> or <a href="mailto:security@alskyline.com">security@alskyline.com</a>.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
What counts as a personal data breach
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data that we process — whether stored in our cloud hosting, business email, DNS, or related services.
A breach is not limited to an outside attacker. It can also arise from an internal error, a lost or stolen device, a misdirected message, or a failure that makes personal data unavailable when it is needed.
- Confidentiality breach — personal data is disclosed to, or accessed by, an unauthorized party.
- Integrity breach — personal data is altered without authorization.
- Availability breach — personal data is lost or made inaccessible (for example, through accidental deletion or a service outage affecting the data).
How we respond: detect, contain, eradicate, recover, review
We follow a structured, repeatable incident-response process. The same process is built to align with the immediate-notification expectations of NCA ECC, CMA and SAMA where those frameworks apply to a client, so that regulated customers can rely on a single, consistent response.
- Detect — we monitor centralized authentication and administrative audit logs, anti-spam/anti-virus signals, and rate-limiting alerts to identify suspicious activity early.
- Contain — we isolate affected systems and accounts to stop the breach from spreading and to limit its impact.
- Eradicate — we remove the root cause, revoke compromised credentials, and close the vulnerability that allowed the incident.
- Recover — we restore affected services and data from encrypted in-Kingdom backups, using database point-in-time recovery where appropriate, and confirm normal operation.
- Review — we conduct a post-incident review, record lessons learned, and update controls to reduce the chance of recurrence.
Notifying SDAIA within 72 hours
Where a personal data breach may cause harm to data or to data subjects, we notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of the breach, in line with the PDPL.
Where the breach is likely to cause serious harm to data subjects, we also notify the affected individuals without undue delay so they can take steps to protect themselves.
What our notification contains
Our breach notifications are written to give the regulator and affected individuals the information they need to understand the incident and act on it. To the extent known at the time, a notification includes:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The likely consequences of the breach.
- The measures we have taken or propose to take to address the breach and to mitigate its possible adverse effects.
- Contact details for follow-up — our Data Protection Officer at dpo@alskyline.com — and, where relevant, recommended steps for affected individuals.
When we act as a processor for customers
For much of the personal data on our platform, our customers are the controller and Skyline Cloud acts as a processor on their behalf. In that role, where a breach affects a customer's data, we notify the affected customer (controller) immediately so they can meet their own notification obligations to SDAIA, to data subjects, and to any sector regulator that applies to them.
We support our customers with the information they need to assess the breach and prepare their own notifications, and we coordinate on containment and recovery.
Safeguards that reduce breach risk and impact
We maintain technical and organizational safeguards designed to reduce the likelihood of a breach and to limit its impact if one occurs. These controls are built to align with PDPL, NCA ECC, the Cloud Computing Controls (CCC), CMA and SAMA expectations; formal certification against these frameworks is assessed by the respective authority.
- Data residency — data and backups are hosted in-Kingdom (Riyadh) only, with no off-shore backup provider.
- Encryption — encryption at rest at the infrastructure layer (AES-256) plus field-level application encryption; TLS 1.2/1.3 only on public endpoints.
- Key protection — SSL private keys are generated on a hardened node that is isolated from the mail and portal services.
- Strong access control — mandatory two-factor authentication for all administrators, including tenant administrators; remote server access is key-based only, with password and root-password login disabled.
- Tenant isolation — per-tenant data isolation that is verified by automated tests.
- Resilient backups — encrypted daily in-Kingdom backups with 30-day retention, plus database point-in-time recovery.
- Monitoring and email security — centralized authentication and administrative audit logging, anti-spam and anti-virus, SPF/DKIM/DMARC, and rate limiting.
- Operational guardrails — an automated internal compliance check mapped to PDPL, NCA ECC, CCC, CMA and SAMA, and destructive database commands blocked in production.
Report a concern and how to contact us
If you believe your personal data may have been exposed, or you notice suspicious activity on a Skyline Cloud service, please contact us promptly so we can investigate.
This page is a public summary of our policy and is provided for transparency. It is not legal advice and does not, by itself, create rights or obligations beyond those set out in applicable law.
- Security incidents: security@alskyline.com
- Privacy and data subject requests: privacy@alskyline.com
- Data Protection Officer: dpo@alskyline.com
- Legal matters: legal@alskyline.com
Governing law and venue
This policy and any matter arising from a personal data breach are governed by the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law and its Implementing Regulations.
Any dispute relating to this policy shall be subject to the jurisdiction of the competent courts of Riyadh, Kingdom of Saudi Arabia.