Enterprise
Honest answers to the questions enterprise buyers typically ask about SSO, certifications, isolation, and scaling.
Auth and access control
- SSO — standards-based SSO with common enterprise identity providers
- RBAC — three main customer/operator roles:
tenant,tenant_admin,super_admin, plus a separate read-onlyregulatorrole when provisioned - Key management — scoped API keys with immediate revocation and role-aware access
Multi-tenancy isolation
Tenants are isolated at every layer: cryptographic (per-tenant derived key), access control (tenant-bound keys), logging (tenant-tagged), policy (per-tenant config), and rate limiting (independent buckets).
Compliance and certifications
- Saudi PDPL — designed for compliance; not legally certified
- SOC 2 Type II — controls implemented; audit planned
- ISO 27001 — controls implemented; certification planned
Important: DataSitr is designed to help organizations comply with PDPL. It does not itself grant compliance.
Data residency and privacy
- All PII, vault data, compliance records, and API keys are stored in Saudi Arabia
- Only green-lane anonymized text leaves the Kingdom; amber/red paths depend on operator-configured in-Kingdom providers
- All processing can be forced onto configured in-Kingdom paths via
force_in_kingdom, otherwise the request is rejected - Encryption: AES-256-GCM at rest, TLS 1.2/1.3 in transit
Availability and SLAs
No contractual SLA exists yet. As of April 6, 2026, the live public path had dated proof that planned maintenance continuity succeeded. Treat that as continuity evidence, not as a broad availability or automatic-failover claim. Separate dated proof packs also cover auth survivability, isolated restore recovery, and restored-state cutover. Current support runs through a direct operator channel.
Scaling path
- Pilot (1-10 tenants) — a simplified Saudi-hosted operating path for initial evaluation, not a standalone description of the current public runtime
- Growth (10-50) — multi-worker shared-state with dated continuity evidence and explicit claim boundaries
- Enterprise (50+) — stronger monitoring, stronger audit materials, and broader security review, with broader availability claims remaining a separate proof step
Gaps we are honest about
- No SOC 2 / ISO 27001 certification — audit planned
- No contractual SLA — planned for production tiers
- No formal support tiers — direct operator support today
- Uniform provider-token streaming across every upstream path — on roadmap
- Final immutable-evidence retention configuration is still being finalized