Trust & Security
Skyline Cloud Email is built for organizations that take their email seriously. This page summarizes the technical, organizational, and procedural controls we use to keep your mail private, available, and recoverable. The binding language behind these summaries lives in the Privacy Policy and SLA.
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
Saudi data residency
Skyline operates from inside the Kingdom of Saudi Arabia. The Service runs on Oracle Cloud Infrastructure's Riyadh region (me-riyadh-1) — a public-cloud region operated from data centers within Saudi territory. Mailboxes, attachments, calendars, contacts, account records, and audit logs are stored on Saudi soil by default.
Backups stay in-Kingdom too: encrypted database, configuration and mailbox backups are retained on Saudi infrastructure in Riyadh. Nothing is shipped to an off-shore backup provider.
Saudi data residency is not an afterthought; it is a design constraint of the platform.
Compliance posture
- Saudi Personal Data Protection Law (PDPL) — the Service is engineered against the obligations of the PDPL and its Implementing Regulations. The Privacy Policy is the operating document.
- NCA Essential Cybersecurity Controls (ECC-2:2024 / ECC-1:2018) & Cloud Cybersecurity Controls (CCC-1:2020) — our technical controls are mapped to the NCA frameworks and verified by an internal automated compliance check that runs on a regular cadence.
- CMA & SAMA cybersecurity frameworks — for regulated financial customers we align to the Capital Market Authority and Saudi Central Bank (SAMA) cybersecurity expectations, including KSA data residency, tenant segregation, audit rights, and certified data deletion on exit.
- ZATCA e-invoicing — invoices issued through the Service support the ZATCA Phase 2 requirements, including the QR code, hash chain, and prescribed XML schema.
- ISO/IEC 27001 & SOC 2 — controls aligned to these standards; formal certification and audit work is on the published roadmap. Alignment is not the same as certification.
Full per-framework alignment, the complete document index (Privacy, DPA, sub-processors, data rights, retention, breach notification, consent) and our automated compliance check are in the Compliance Center.
Encryption — at rest, in transit, end to end of the platform
At rest. Storage volumes holding mailbox content, attachments, databases, and backups are encrypted with AES-256 at the infrastructure layer by the cloud provider; in addition, sensitive application fields are encrypted at the application layer.
In transit, customer-facing. Every customer-facing endpoint — the portal, IMAP, SMTP submission, EWS, MAPI, ActiveSync, and the webmail interface — accepts only TLS 1.2 or 1.3, with modern cipher suites and HSTS preload. TLS 1.0, TLS 1.1, and SSLv3 are disabled.
In transit, server-to-server mail. Inbound mail is accepted with opportunistic TLS by default, and we publish MTA-STS and DANE records for our domain so that conformant senders enforce strict TLS to our edge MTAs. Outbound mail uses MTA-STS where the recipient publishes it.
Backups. Backups are retained on encrypted storage inside the Kingdom (see "Backups" below).
Backups
Skyline runs automated daily backups of databases, configuration, and mailbox stores. Backups are retained inside the Kingdom of Saudi Arabia (Riyadh) on encrypted storage — nothing is shipped to an off-shore provider.
Retention is a rolling 30 days. In addition, database binary logging provides point-in-time recovery between daily snapshots.
Restoration of an individual mailbox to a point in time within the retention window is supported by Skyline operations on customer request through a Severity 2 ticket.
Authentication and access control
- Two-factor authentication (2FA) — supported via TOTP authenticator apps (Authy, Google Authenticator, 1Password, Bitwarden, etc.) with recovery codes. 2FA is mandatory for every account with administrative privileges — including tenant administrators — and strongly recommended for all users; an organization admin can enforce it tenant-wide.
- OAuth sign-in — Sign in with Google, Microsoft, or Apple via standards-based OAuth 2.0 / OpenID Connect.
- Session management — short authenticated sessions with idle timeout, plus a long-lived "remember me" option that re-authenticates without storing a recoverable secret.
- IP-based session security — sign-in events are recorded with the source IP, user agent, and approximate geographic origin, surfaced to the customer in the Security tab.
- Audit logging — administrative and authentication events on the tenant are recorded with actor, timestamp, source IP and target, including sign-in history surfaced in the Security tab.
- Skyline staff access — infrastructure access is restricted to SSH key-based authentication; password login is disabled and direct root password login is not permitted. Every privileged action is logged.
Mail-flow security
- SPF, DKIM, DMARC — generated automatically per domain. We ship sensible defaults that customers can tighten over time.
- BIMI — supported on Business plan for verified senders.
- Anti-spam and anti-phishing — multi-layer pipeline combining reputation, content, and behavioural signals. Decisions are made on metadata + transient body access; no message body is persisted to log storage.
- Antivirus — every message is scanned with an actively updated engine; infected attachments are stripped or quarantined per Customer policy.
- TLS reporting (TLSRPT) — we publish TLS-RPT for our domains and act on inbound aggregate reports.
Sub-processor transparency
The current sub-processor list is published in the Privacy Policy and is reproduced here for convenience:
- Oracle Cloud Infrastructure (Riyadh region) — primary compute, block storage, and networking.
- Cloudflare — DNS / anti-DDoS for the public marketing site only (the authenticated portal and all customer data do not proxy through Cloudflare).
- Moyasar / Neoleap — Saudi-licensed PCI-DSS Level 1 payment processing.
- ip-api.com — IP-to-country lookup for the security login log.
Customers receive at least 30 days' notice by email before a sub-processor is added or its scope is materially changed.
Vulnerability management and testing
- Continuous internal security checks — an automated compliance check maps our live technical controls to the NCA ECC/CCC, PDPL, CMA and SAMA frameworks and runs on a regular cadence; its output is our internal audit record.
- Independent penetration testing — third-party penetration testing is on our roadmap; the summary letter will be made available to enterprise customers under NDA once completed.
- Continuous dependency scanning — every code-change pull request runs SCA, SAST, and secret-detection checks.
- Patch management — operating-system, runtime, and application dependencies are tracked; high-severity patches are applied within 72 hours of public disclosure where the issue is exploitable in our configuration.
Coordinated security disclosure
If you have discovered a vulnerability in Skyline Cloud Email, please report it to security@alskyline.com. We commit to:
- Acknowledging the report within 2 business days.
- Providing an initial triage outcome within 5 business days.
- Crediting the reporter publicly (with consent) once a fix is deployed.
- Considering a discretionary financial reward for impactful, responsibly disclosed findings. We do not yet operate a formal bug-bounty programme, but we are happy to discuss compensation case-by-case.
We will not pursue legal action against a researcher who acts in good faith and within the spirit of coordinated disclosure: only test against accounts you own, do not access another customer's data, do not degrade Service availability, do not disclose publicly before we have shipped a fix or reasonable time has elapsed.
Incident response
Skyline maintains a documented incident-response runbook covering detection, containment, eradication, recovery, and post-incident review. A 24×7 on-call rotation responds to high-severity alerts.
In the event of a confirmed personal-data breach affecting customers, Skyline will notify the Saudi Data & Artificial Intelligence Authority (SDAIA) within 72 hours in accordance with the PDPL Implementing Regulations, and will notify each affected customer directly via the registered administrator email address.
Following a Severity 1 incident, Skyline publishes a post-mortem within five business days summarizing the root cause, customer impact, and corrective actions, available to affected customers on request.
Business continuity
Skyline operates with redundancy at every layer: stateless application instances behind a load balancer, replicated database storage, and snapshot-based recovery. Recovery objectives:
- RPO (recovery-point objective) — under 24 hours, anchored on the nightly backup window. Routine database replication achieves a much shorter window in practice.
- RTO (recovery-time objective) — a target of 4 hours for full-tenant restoration.
A documented disaster-recovery runbook is exercised at least annually.
People and process
- Background-checked staff. Every member of staff with production access has been background-checked.
- Confidentiality. All staff sign a confidentiality agreement covering Customer Content and operational telemetry.
- Least-privilege access. Production access is granted role-by-role, with separation of duties between developers, operators, and on-call responders.
- Security training. Annual refresher training on phishing, secret handling, secure coding, and incident response.
Questions and customer due diligence
Enterprise customers and prospects evaluating Skyline Cloud Email may request the following materials:
- A current security questionnaire response (SIG-lite or CAIQ).
- Sub-processor list with locations.
- Summary of the most recent external penetration test.
- Data Processing Addendum (DPA) under PDPL.
Please write to security@alskyline.com or legal@alskyline.com. We typically respond within 3 business days.