What PDPL means for where your data lives
Saudi Arabia's Personal Data Protection Law (PDPL) and its Implementing Regulations came into force on 14 September 2023, with a one-year grace period. Since 14 September 2024, every organization that processes the personal data of individuals in the Kingdom must be fully compliant. PDPL is enforced primarily by the Saudi Data and Artificial Intelligence Authority (SDAIA), alongside cybersecurity controls from the National Cybersecurity Authority (NCA).
PDPL does not flatly ban sending data abroad, but it makes in-Kingdom hosting the simplest path to compliance. The moment personal data leaves Saudi servers, you trigger the cross-border transfer regime — extra legal bases, paperwork, and risk assessments. Keeping data resident in-Kingdom removes most of that burden.
This tutorial explains the rules in plain terms and gives you concrete steps to host data so it stays inside Saudi Arabia.
The cross-border transfer rules in brief
In August 2024, SDAIA issued the Regulation on Personal Data Transfer Outside the Kingdom ("Transfer Regulations"). A transfer abroad is only lawful when it meets all of the following:
- A permissible purpose — e.g. performing an agreement the Kingdom is party to, serving the Kingdom's interests, fulfilling an agreement with the data subject, central processing that enables the controller's activity, providing a service to the data subject, or scientific research.
- An adequate level of protection in the destination, established by either an SDAIA adequacy decision for that country, or one of three appropriate safeguards:
- Standard Contractual Clauses (SCCs) — SDAIA published its first set in 2024.
- Binding Corporate Rules (BCRs) for intra-group transfers.
- An approved certificate of accreditation.
- Data minimization — transfer only the data necessary for the stated purpose.
- A Transfer Risk Assessment (TRA) where required — for example, continuous or large-scale transfers of sensitive data, or transfers to jurisdictions/entities without an adequacy decision or certification. SDAIA published a Risk Assessment Guideline in February 2025 to structure this.
As of mid-2026, SDAIA has not yet published a public list of adequate countries. In practice that means transfers abroad usually rest on SCCs or BCRs plus a documented risk assessment — real, recurring compliance work. Hosting in-Kingdom sidesteps the entire chain.
Decision flow: do you even need a transfer?
Does the data identify or relate to a person in KSA?
│
├── No ──► PDPL transfer rules largely not engaged
│
└── Yes ─► Will any copy (primary, backup, logs, CDN cache,
email, analytics) leave Saudi servers?
│
├── No ──► In-Kingdom residency. Simplest path.
│
└── Yes ─► Cross-border regime: lawful purpose
+ adequacy/SCCs/BCRs + minimization
+ TRA where required.
The trap is the "Yes" branch leaking in unexpectedly — an offshore backup bucket, a CDN edge cache, a third-party email relay, or an analytics SDK can each constitute a transfer.
Step 1: Choose a host with verifiable in-Kingdom infrastructure
"Saudi company" is not the same as "Saudi data centre." Ask your provider, in writing, where the primary storage, backups, and logs physically sit. With Skyline Cloud the data stays on in-Kingdom infrastructure by default, with local Arabic support and PDPL/NCA-aligned operations. See our cloud hosting overview for product options spanning shared hosting, VPS/cloud servers, and dedicated servers.
Step 2: Verify the data's physical location
Don't take residency on faith — confirm it. Once your server or hosting is provisioned, resolve and trace it:
# Resolve your domain/host to an IP
dig +short app.example.sa
# Check the network owner / route of that IP
whois 203.0.113.10 | grep -iE 'country|netname|org'
# Confirm latency profile is consistent with in-Kingdom routing
mtr -rwc 20 app.example.sa
whois should show a Saudi network operator and country: SA. Very low, stable latency from a Riyadh/Jeddah/Dammam vantage point is a good corroborating signal. Repeat the check against your backup endpoint and any object-storage bucket — these are the parts most often quietly offshored.
Step 3: Keep backups and object storage in-Kingdom
A backup is a copy of personal data, so its location matters just as much as production. Configure backup targets to an in-Kingdom endpoint and verify:
# Example: list a backup/object-storage bucket and inspect the endpoint host
aws s3 ls s3://my-backup-bucket/ --endpoint-url https://s3.your-ksa-region.alskyline.com
# Confirm the endpoint resolves to in-Kingdom infrastructure
dig +short s3.your-ksa-region.alskyline.com | xargs -n1 whois | grep -i country
If you use database dumps, ship them to local storage rather than a foreign region:
mysqldump --single-transaction --routines mydb \
| gzip | aws s3 cp - s3://my-backup-bucket/mydb-$(date +%F).sql.gz \
--endpoint-url https://s3.your-ksa-region.alskyline.com
Step 4: Lock down DNS, email and TLS
Three commonly overlooked transfer vectors:
| Vector | Risk | In-Kingdom fix |
|---|---|---|
| Mailboxes/relays processing customer PII abroad | Use in-Kingdom business email hosting | |
| DNS | Operationally fine globally, but keep authority controlled | Use managed DNS with audited access |
| TLS / certificates | Misconfig exposes data in transit | Enforce TLS 1.2+ and HSTS |
Verify your published mail and TLS posture:
# Check MX records point to your in-Kingdom mail host
dig +short MX example.sa
# Confirm SPF is published (helps deliverability and anti-spoofing)
dig +short TXT example.sa | grep -i spf
# Verify the live certificate and TLS version
openssl s_client -connect example.sa:443 -servername example.sa < /dev/null 2>/dev/null \
| openssl x509 -noout -issuer -dates
Step 5: Document residency for your records
PDPL is evidence-driven. Keep a short, current record showing: data categories processed, where each copy lives (production, backup, logs, email), the legal basis for processing, and confirmation that no copy leaves the Kingdom. If a transfer ever does become necessary, this record is the foundation of your TRA and your choice of safeguard.
A practical residency checklist
- [ ] Primary hosting confirmed in-Kingdom (verified via
whois/dig). - [ ] Backups and object storage point to in-Kingdom endpoints.
- [ ] Email/PII processing handled by an in-Kingdom mail host.
- [ ] No offshore CDN cache or analytics holds personal data.
- [ ] TLS 1.2+ enforced; certificates valid and monitored.
- [ ] A residency/processing record is written down and kept current.
Where Skyline fits
Skyline (alskyline.com) is a Saudi, in-Kingdom provider offering cloud hosting, VPS and dedicated servers, cPanel/web and managed WordPress hosting, business email, .sa domains, SSL, managed DNS, cloud backup and object storage — all with data residency in the Kingdom and local Arabic support. For the broader picture of sovereign cloud and compliance in Saudi Arabia, see our sovereign cloud KSA hub.
Keeping personal data in-Kingdom is the most reliable way to satisfy PDPL without building a recurring cross-border compliance program. Sign up for Skyline Cloud and provision in-Kingdom hosting in minutes.
This article is general guidance, not legal advice. Consult a qualified Saudi data-protection advisor for your specific obligations.
Comments
0 total · 0 threads