Data Processing Agreement (DPA)
This Data Processing Agreement (the <strong>"DPA"</strong>) governs the processing of personal data by <strong>Skyline Solutions</strong> ("<strong>Skyline Cloud</strong>", "we", "us") on behalf of its customers in connection with the Skyline Cloud hosting, business email, DNS, and SSL services available at <a href="https://cloud.alskyline.com">cloud.alskyline.com</a>. In this DPA the <strong>customer acts as the data controller</strong> and <strong>Skyline Cloud acts as the data processor</strong>. This DPA is built to align with the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations, and forms an integral part of the main service agreement between the parties. For any questions, contact <a href="mailto:privacy@alskyline.com">privacy@alskyline.com</a> or our Data Protection Officer at <a href="mailto:dpo@alskyline.com">dpo@alskyline.com</a>.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
1. Roles and Definitions
Under the Saudi Personal Data Protection Law (PDPL), the Controller is the party that determines the purpose and manner of processing personal data, and the Processor is the party that processes personal data on behalf of, and under the instructions of, the Controller.
For all personal data that the customer stores in, transmits through, or generates within the Skyline Cloud service (the "Customer Personal Data"), the customer is the Controller and Skyline Cloud is the Processor. Where Skyline Cloud engages another party to assist in processing, that party acts as a sub-processor.
Terms such as "personal data", "processing", "data subject", "competent authority", and "sensitive data" carry the meanings given to them under the PDPL and its Implementing Regulations. The competent supervisory authority is the Saudi Data and Artificial Intelligence Authority (SDAIA).
2. Subject Matter and Duration
The subject matter of the processing is the provision of cloud hosting, business email, DNS, and SSL services to the customer, including the storage, hosting, transmission, and protection of Customer Personal Data necessary to deliver those services.
This DPA applies for the entire duration during which Skyline Cloud processes Customer Personal Data on the customer's behalf, beginning when the customer first uses the service and continuing until the deletion or return of Customer Personal Data in accordance with the section on return and deletion below. Obligations that by their nature should survive termination (such as confidentiality) continue after the service ends.
3. Nature and Purpose of Processing
Skyline Cloud processes Customer Personal Data solely to provide and support the contracted services. The nature of processing includes hosting and storage, secure transmission, backup and recovery, access management, email routing and filtering, DNS resolution, certificate issuance and management, and technical support — all as needed to operate the service.
- Provide the service: host, store, and transmit Customer Personal Data as instructed by the customer.
- Secure the service: apply security, anti-spam, anti-malware, authentication, and access controls.
- Maintain availability: perform backups, recovery, monitoring, and capacity management.
- Support the customer: respond to technical support requests and troubleshoot issues.
- Meet legal obligations: retain or disclose data where required by applicable Saudi law or a binding order from a competent authority.
4. Types of Personal Data and Categories of Data Subjects
The customer, as Controller, determines and controls the categories of personal data and data subjects placed into the service. The actual scope depends entirely on how the customer uses the service. Typical categories are listed below for illustration.
The customer is responsible for ensuring it has a lawful basis under the PDPL for the personal data it processes through the service, and should avoid placing sensitive data in the service except where it has confirmed an appropriate lawful basis and any additional safeguards the PDPL requires.
- Types of personal data: names, email addresses, login identifiers and authentication data, contact details, message and mailbox content, files and documents uploaded by the customer, DNS and domain records, and technical metadata such as IP addresses, timestamps, and activity logs.
- Categories of data subjects: the customer's staff and administrators, the customer's own clients and contacts, email senders and recipients, and any other individuals whose personal data the customer chooses to store in or send through the service.
5. Skyline Cloud's Obligations as Processor
As Processor, Skyline Cloud commits to the following obligations, which are designed to meet the requirements placed on processors under the PDPL and its Implementing Regulations.
- Documented instructions: process Customer Personal Data only on the customer's documented instructions, including the instructions set out in the service agreement and this DPA, unless required otherwise by applicable Saudi law — in which case we will inform the customer of that requirement before processing, unless the law prohibits such notice.
- Confidentiality of staff: ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are granted access only on a need-to-know basis.
- Security measures: implement and maintain appropriate technical and organizational security measures (see the Security section below) proportionate to the risk.
- Sub-processors: engage sub-processors only with the customer's authorization, with prior notice of any intended change and an opportunity to object, and under written terms imposing data protection obligations equivalent to those in this DPA (see the Sub-processors section).
- Data-subject requests: assist the customer, by appropriate technical and organizational measures, in responding to requests from data subjects exercising their PDPL rights.
- Breach assistance: assist the customer in meeting its breach-notification and security obligations (see the Breach Notification section).
- Return or deletion: return or delete Customer Personal Data on termination as set out below.
- Audit support: make available information reasonably necessary to demonstrate compliance with these obligations and support audits and inspections as described below.
6. Security Measures
Skyline Cloud maintains technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing, loss, destruction, or damage. Our internal compliance checks are mapped to the PDPL and to relevant Saudi frameworks including the NCA Essential Cybersecurity Controls (ECC) and Cloud Cybersecurity Controls (CCC), as well as applicable CMA and SAMA expectations. These measures are reviewed and may be updated as the service evolves; this list does not constitute a certification. Formal certification against any framework is assessed by the respective authority.
Current measures include the following.
- In-Kingdom hosting: Customer Personal Data and backups are hosted in the Kingdom of Saudi Arabia (Riyadh) only, with no off-shore backup provider.
- Encryption in transit: public endpoints use TLS 1.2 / 1.3 only.
- Encryption at rest: infrastructure-layer encryption using AES-256, plus field-level application encryption for selected sensitive fields.
- Certificate key isolation: SSL private keys are generated on a hardened node isolated from the mail and portal systems.
- Strong administrator authentication: two-factor authentication (2FA) is mandatory for all administrators, including tenant administrators; administrative system access is key-based, with password and direct privileged login disabled.
- Tenant isolation: per-tenant data isolation is enforced and verified through automated tests.
- Backups and recovery: encrypted daily in-Kingdom backups with 30-day retention, plus database point-in-time recovery.
- Logging and monitoring: centralized authentication and administrative audit logging.
- Email and abuse protection: anti-spam and anti-malware filtering, SPF/DKIM/DMARC, and rate limiting.
- Operational safeguards: destructive database commands are blocked in production, and an automated internal compliance check is mapped to PDPL, NCA-ECC, CCC, CMA, and SAMA expectations.
7. Sub-processors
The customer authorizes Skyline Cloud to engage sub-processors to support the delivery of the service. Where Skyline Cloud engages a sub-processor, it will impose, through a written agreement, data protection obligations equivalent to those set out in this DPA, and remains responsible to the customer for the sub-processor's performance of those obligations.
Skyline Cloud will provide prior notice of any intended addition or replacement of a sub-processor that processes Customer Personal Data, giving the customer a reasonable opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, the customer may terminate the affected service in accordance with the main service agreement.
Consistent with our security commitments, hosting and backups of Customer Personal Data remain in the Kingdom of Saudi Arabia.
8. Assistance with Data-Subject Requests
The PDPL grants data subjects rights including the right to be informed, to access their personal data, to request correction, and to request deletion or destruction in defined circumstances. Because the customer is the Controller, requests from data subjects should be directed to the customer.
Where a data subject contacts Skyline Cloud directly regarding Customer Personal Data, we will, without undue delay, refer them to the customer and notify the customer where permitted. Taking into account the nature of the processing, Skyline Cloud will provide reasonable assistance through appropriate technical and organizational measures to help the customer respond to and fulfill valid data-subject requests.
9. Personal Data Breach Notification
Skyline Cloud will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to help the customer meet its own notification obligations and to investigate and remediate the breach.
Under the PDPL framework, where a breach may cause harm, the Controller is expected to notify SDAIA within 72 hours of becoming aware of the breach, and to notify affected data subjects without undue delay. As Processor, Skyline Cloud supports the customer in meeting these timelines but does not itself notify the supervisory authority on the customer's behalf unless separately agreed in writing.
To report a security concern, contact security@alskyline.com.
10. Return or Deletion of Data on Termination
On termination or expiry of the service, and at the customer's choice, Skyline Cloud will return Customer Personal Data to the customer in a commonly used format and/or delete existing copies, unless retention is required by applicable Saudi law.
After the return or deletion election, Customer Personal Data held in active systems will be deleted within a reasonable period. Residual copies present in encrypted backups are removed in the ordinary course as those backups age out under the 30-day retention cycle described above, after which they are no longer restorable.
11. Audits and Inspections
Skyline Cloud will make available to the customer information reasonably necessary to demonstrate compliance with the obligations in this DPA, and will support audits and inspections conducted by the customer or an independent auditor mandated by the customer.
Such audits will be conducted on reasonable prior written notice, during business hours, no more than once per year except where required by a competent authority or following a confirmed breach, and in a manner that respects confidentiality, the security of the platform, and the data of other tenants. Where appropriate, Skyline Cloud may satisfy audit requests by providing relevant documentation, summaries of its internal compliance checks, and written responses to reasonable security questionnaires.
12. International Transfers
Skyline Cloud's default position is that Customer Personal Data — including backups — is stored and processed in the Kingdom of Saudi Arabia, and is not transferred outside the Kingdom.
If any transfer of Customer Personal Data outside the Kingdom becomes necessary, it will be carried out only in accordance with the PDPL and its data-transfer provisions, relying on an appropriate lawful mechanism such as SDAIA-approved Standard Contractual Clauses or another safeguard recognized under the PDPL, and subject to any conditions the regulations require. We will not transfer Customer Personal Data outside the Kingdom in a manner inconsistent with the customer's documented instructions.
13. Relationship to the Service Agreement and Governing Law
This DPA forms an integral part of, and is incorporated into, the main service agreement between the customer and Skyline Cloud. In the event of a conflict between this DPA and the main service agreement on matters of personal data processing, this DPA prevails to the extent of that conflict. Except as expressly modified here, the main service agreement remains in full force.
This DPA is governed by the laws of the Kingdom of Saudi Arabia, and any dispute arising out of or in connection with it is subject to the exclusive jurisdiction of the competent courts of Riyadh.
This DPA may be updated to reflect changes in applicable law, regulatory guidance, or the service. For legal notices, contact legal@alskyline.com; for privacy and data protection matters, contact privacy@alskyline.com or the Data Protection Officer at dpo@alskyline.com.