Procurement-ready answers, in one place.
Your CISO, HR Director, and procurement team need to defend the choice of Rosterna in five minutes. This page is for them.
Your data lives in Riyadh.
All Rosterna multi-tenant infrastructure runs in AWS me-central-1 (Riyadh). No Saudi PII leaves the Kingdom. Backups stay in-region. The CST Cloud Computing Regulatory Framework Level 2 alignment statement is downloadable below.
Personal Data Protection Law compliance
Registered Data Controller. DPIA on file. 72-hour breach notification procedure. DSAR self-serve for any data subject. Cross-border transfers blocked unless SDAIA-approved.
Named Data Protection Officer
A KSA-resident DPO is being appointed and will be named publicly here once formal designation is filed. Contact in the meantime: hello@rosterna.sa with subject 'DPO'.
NCA controls matrix
Controls mapped 1:1 to the National Cybersecurity Authority Essential Cybersecurity Controls. Downloadable as PDF + JSON for your security architects.
Type 1 — Q4 2027 target
SOC 2 Type 1 audit with a major Saudi audit firm targeted for Q4 2027. Type 2 to follow within 18 months.
Pre-signed Data Processing Addendum
A pre-signed DPA is ready for download — no back-and-forth required for procurement teams. Aligns with PDPL controller-processor obligations.
AES-256 + BYOK on Compliance Pro
AES-256 at rest, TLS 1.3 in transit. National ID, Iqama number, and salary fields encrypted at the column level. Enterprise customers can bring their own KEK in AWS KMS.
Hash-chained immutable log
Every state change writes an immutable event with SHA-256 hash chain. Exportable to your SIEM in JSON, CEF, or LEEF. Tampering breaks the chain — verifiable.
Found a vulnerability?
We work with researchers in good faith. Disclose privately at the address below; we acknowledge within 48 hours and credit you on our security page if you wish.
security@rosterna.sa