Sub-processors
This page lists the third-party providers (sub-processors) that <strong>Skyline Cloud</strong>, operated by <strong>Skyline Solutions</strong> in Riyadh, Kingdom of Saudi Arabia, engages to help deliver our cloud hosting, business email, DNS and SSL services. We publish this list in the interest of transparency and to support our customers' own obligations under the Saudi Personal Data Protection Law (PDPL). Customer data and backups are hosted <strong>in-Kingdom (Riyadh) only</strong>, and we use <strong>no off-shore backup provider</strong>. We give customers <strong>at least 30 days' notice</strong> before adding or materially changing a sub-processor. This document is designed to align with the PDPL and applicable National Cybersecurity Authority guidance; it is not a certification.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
What is a sub-processor?
A sub-processor is a third party that we engage to process customer data on our behalf, or to provide infrastructure or services that are necessary to operate the Skyline Cloud platform. We remain responsible to our customers for the services we provide, and we engage sub-processors only where they are needed to deliver the platform reliably and securely.
We limit the number of sub-processors we rely on, prefer providers operating inside the Kingdom of Saudi Arabia where data is involved, and require each sub-processor to handle data only for the defined purpose. The categories below reflect the sub-processors we actually use. We do not list providers we do not use.
Current sub-processors
The following sub-processors are currently engaged across the Skyline Cloud platform, organized by category and role:
- Cloud infrastructure (compute, storage, networking) — Oracle Cloud Infrastructure, Riyadh region, Kingdom of Saudi Arabia. Hosts the compute, storage and networking for the service; all customer data stays in-Kingdom.
- Payment processing — Moyasar / Neoleap, Saudi-licensed PCI-DSS payment providers. Process card and online payments for billing; card data is handled inside the payment provider environment and is not stored by Skyline Cloud.
- Public marketing-site DNS & anti-DDoS — Cloudflare, used for the public marketing website only (alskyline.com). Customer content and the authenticated portal do not proxy through it.
In-Kingdom hosting and backups
Customer data and backups are hosted in the Kingdom of Saudi Arabia (Riyadh) only. We use no off-shore backup provider: backups do not leave the Kingdom.
We retain encrypted daily in-Kingdom backups with a 30-day retention period and maintain database point-in-time recovery. This design is intended to keep data residency and recovery within the Kingdom and to align with PDPL and applicable National Cybersecurity Authority guidance.
How we select and control sub-processors
We apply technical and organizational controls across the platform so that sub-processors operate within a secure, bounded environment. These controls are designed to meet PDPL and applicable National Cybersecurity Authority expectations; formal certification, where applicable, is assessed by the respective authority.
- Encryption: TLS 1.2/1.3 only on public endpoints; encryption at rest at the infrastructure layer (AES-256) plus field-level application encryption.
- Key isolation: SSL private keys are generated on a hardened node isolated from the mail and portal environment.
- Access control: mandatory two-factor authentication for all administrators, including tenant administrators; remote administrative access is key-based only, with password and root-password login disabled.
- Tenant isolation: per-tenant data isolation, verified by tests.
- Logging: centralized authentication and administrative audit logging.
- Mail and abuse protection: anti-spam and anti-virus filtering, SPF/DKIM/DMARC, and rate limiting.
- Operational safeguards: an automated internal compliance check mapped to PDPL, NCA-ECC, CCC, CMA and SAMA expectations, and destructive database commands blocked in production.
Notice of changes to sub-processors
We give customers at least 30 days' notice before we add a new sub-processor or make a material change to an existing one. Notice may be given through the customer portal, by email, or by updating this page with a revised effective date.
If a customer objects to a new or changed sub-processor on reasonable, data-protection grounds, the customer may contact us at privacy@alskyline.com so we can discuss the concern.
Personal data breach notification
Where a personal data breach involving a sub-processor occurs and harm is possible, we notify the Saudi Data and Artificial Intelligence Authority (SDAIA) within 72 hours of becoming aware of the breach, and we notify affected data subjects without undue delay, in line with the PDPL. Our procedures are designed to meet these requirements.
Governing law and contact
This page and the services it describes are governed by the laws of the Kingdom of Saudi Arabia, and the courts of Riyadh have jurisdiction over any related dispute.
For questions about this list or our use of sub-processors, contact us at: privacy@alskyline.com (privacy), dpo@alskyline.com (Data Protection Officer), security@alskyline.com (security), or legal@alskyline.com (legal). Our cloud portal is at cloud.alskyline.com and our marketing site is at alskyline.com.