Trust & Security

Skyline operates from inside the Kingdom of Saudi Arabia. The Service runs on Oracle Cloud Infrastructure's Riyadh region (me-riyadh-1) — a public-cloud region operated from data centers within Saudi territory. Mailboxes, attachments, calendars, contacts, account records, and audit logs are stored on Saudi soil by default.

Where the Service makes encrypted off-site backups (described below), the encryption is performed inside the Saudi region before the ciphertext leaves the country. The backup provider holds ciphertext only and cannot read mailbox content.

Saudi data residency is not an afterthought; it is a design constraint of the platform.

• Saudi Personal Data Protection Law (PDPL) — the Service is engineered against the obligations of the PDPL and its Implementing Regulations. The Privacy Policy is the operating document.
• ZATCA e-invoicing — invoices issued through the Service are fully ZATCA Phase 2 compliant, including the QR code, hash chain, and prescribed XML schema.
• ISO/IEC 27001 — controls aligned to the standard. Certification work is on the published roadmap.
• Saudi Cybersecurity Framework (NCA ECC, Aramco SACS-210) — control mapping maintained for customers operating in regulated sectors who require alignment.
• SOC 2 — controls aligned to the AICPA Trust Services Criteria for Security and Confidentiality. Audit work on the roadmap.

At rest. Mailbox content, attachments, database volumes, and backup objects are encrypted with AES-256. Disk-level encryption is provided by the cloud provider; Skyline manages an additional application-level envelope-encryption tier for backup artifacts.

In transit, customer-facing. Every customer-facing endpoint — the portal, IMAP, SMTP submission, EWS, MAPI, ActiveSync, and the webmail interface — accepts only TLS 1.2 or 1.3, with modern cipher suites and HSTS preload. TLS 1.0, TLS 1.1, and SSLv3 are disabled.

In transit, server-to-server mail. Inbound mail is accepted with opportunistic TLS by default, and we publish MTA-STS and DANE records for our domain so that conformant senders enforce strict TLS to our edge MTAs. Outbound mail uses MTA-STS where the recipient publishes it.

Backups. Off-site encrypted backups (see "Backups" below) are sealed with the modern age file-encryption format using a public key whose private half never leaves Saudi infrastructure.

Skyline operates a nightly off-site backup of mailbox stores, configuration, and database dumps. Backups are encrypted with age using a public key whose private half is held by Skyline inside the Saudi region and is also kept on offline media as a recovery contingency.

Backups are stored at Backblaze B2, a cost-efficient long-term ciphertext store. Backblaze never holds the decryption key. Retention is rolling 30 days; older backups are cryptographically destroyed by deleting the relevant per-snapshot key.

Restoration of an individual mailbox to a point in time within the retention window is supported by Skyline operations on customer request through a Severity 2 ticket.

• Two-factor authentication (2FA) — supported via TOTP (Authy, Google Authenticator, 1Password, Bitwarden, etc.) and via WebAuthn / FIDO2 hardware security keys (YubiKey, Apple Passkeys, Windows Hello). 2FA is mandatory for any user with administrative privileges on a Skyline tenant; it is strongly recommended for every user and can be enforced organization-wide by an admin.
• OAuth sign-in — Sign in with Google, Microsoft, or Apple via standards-based OAuth 2.0 / OpenID Connect.
• Session management — short authenticated sessions with idle timeout, plus a long-lived "remember me" option that re-authenticates without storing a recoverable secret.
• IP-based session security — sign-in events are recorded with the source IP, user agent, and approximate geographic origin, surfaced to the customer in the Security tab.
• Audit logging — every administrative action on the tenant is recorded in an immutable, append-only audit log: actor, timestamp, source IP, target object, before / after state where applicable.
• Skyline staff access — operations staff who require administrative access to production hold a hardware security key (FIDO2). Production database access is gated behind 2FA + WebAuthn; every privileged action is logged.

• SPF, DKIM, DMARC — generated automatically per domain. We ship sensible defaults that customers can tighten over time.
• BIMI — supported on Business plan for verified senders.
• Anti-spam and anti-phishing — multi-layer pipeline combining reputation, content, and behavioural signals. Decisions are made on metadata + transient body access; no message body is persisted to log storage.
• Antivirus — every message is scanned with an actively updated engine; infected attachments are stripped or quarantined per Customer policy.
• TLS reporting (TLSRPT) — we publish TLS-RPT for our domains and act on inbound aggregate reports.

The current sub-processor list is published in the Privacy Policy and is reproduced here for convenience:

• Oracle Cloud Infrastructure (Riyadh region) — primary compute, block storage, and networking.
• Backblaze B2 — ciphertext-only off-site backups.
• Cloudflare — DNS, anti-DDoS, and TLS termination for the marketing site (the authenticated portal does not proxy through Cloudflare).
• Moyasar / Neoleap — Saudi-licensed PCI-DSS Level 1 payment processing.
• ip-api.com — IP-to-country lookup for the security login log.

Customers receive at least 30 days' notice by email before a sub-processor is added or its scope is materially changed.

• Quarterly internal penetration testing — performed by Skyline's security team against the staging and production environments, with findings tracked to remediation against published severity timelines.
• Annual external penetration testing — performed by an independent third party. The summary letter is available to enterprise customers under NDA.
• Continuous dependency scanning — every code-change pull request runs SCA, SAST, and secret-detection checks.
• Patch management — operating-system, runtime, and application dependencies are tracked; high-severity patches are applied within 72 hours of public disclosure where the issue is exploitable in our configuration.

If you have discovered a vulnerability in Skyline Cloud Email, please report it to security@alskyline.com. We commit to:

• Acknowledging the report within 2 business days.
• Providing an initial triage outcome within 5 business days.
• Crediting the reporter publicly (with consent) once a fix is deployed.
• Considering a discretionary financial reward for impactful, responsibly disclosed findings. We do not yet operate a formal bug-bounty programme, but we are happy to discuss compensation case-by-case.

We will not pursue legal action against a researcher who acts in good faith and within the spirit of coordinated disclosure: only test against accounts you own, do not access another customer's data, do not degrade Service availability, do not disclose publicly before we have shipped a fix or reasonable time has elapsed.

Skyline maintains a documented incident-response runbook covering detection, containment, eradication, recovery, and post-incident review. A 24×7 on-call rotation responds to high-severity alerts.

In the event of a confirmed personal-data breach affecting customers, Skyline will notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within 72 hours in accordance with the PDPL Implementing Regulations, and will notify each affected customer directly via the registered administrator email address.

Following a Severity 1 incident, Skyline publishes a post-mortem within five business days summarizing the root cause, customer impact, and corrective actions, available to affected customers on request.

Skyline operates with redundancy at every layer: stateless application instances behind a load balancer, replicated database storage, and snapshot-based recovery. Recovery objectives:

• RPO (recovery-point objective) — under 24 hours, anchored on the nightly backup window. Routine database replication achieves a much shorter window in practice.
• RTO (recovery-time objective) — under 4 hours for full-tenant restoration in the worst-case scenario.

A documented disaster-recovery runbook is exercised at least annually.

• Background-checked staff. Every member of staff with production access has been background-checked.
• Confidentiality. All staff sign a confidentiality agreement covering Customer Content and operational telemetry.
• Least-privilege access. Production access is granted role-by-role, with separation of duties between developers, operators, and on-call responders.
• Security training. Annual refresher training on phishing, secret handling, secure coding, and incident response.

Enterprise customers and prospects evaluating Skyline Cloud Email may request the following materials:

• A current security questionnaire response (SIG-lite or CAIQ).
• Sub-processor list with locations.
• Summary of the most recent external penetration test.
• Data Processing Addendum (DPA) under PDPL.

Please write to security@alskyline.com or legal@alskyline.com. We typically respond within 3 business days.