The PDPL & NDMO roadmap.
This page is maintained by SaiBrief and describes how we plan to align with Saudi Arabia's Personal Data Protection Law and the NDMO standards before general availability. It is not an independent certification, and the items marked "roadmap" are not in place in the current private beta.
Classification labels (NDMO-aligned, UI-only)
The four NDMO classification labels are rendered on documents, briefs and exports in the UI today. Server-side enforcement across access, sharing, watermarking, retention and audit is on the roadmap.
Cleared for public release. No handling restrictions.
Internal use only. Limited to authorized personnel.
Sensitive content. Need-to-know basis. Default for executive briefs.
Highest sensitivity. Named recipients only.
PDPL controls roadmap
Reference mapping. "Live in beta" means the control actually ships today; "Roadmap" means it is not in the current beta.
| PDPL article | Principle | How SaiBrief addresses it | Status |
|---|---|---|---|
| Art. 4 | Lawfulness, purpose limitation | Documents are processed to generate the requested brief and stored in your workspace until you delete them — nothing else. Workspace-level lawful-basis tracking is on the roadmap. | In design |
| Art. 5 | Data minimisation | Optional PII redaction step is drafted in the UI; no detection engine is wired up yet. | Roadmap (not in beta) |
| Art. 6 | Consent & lawful basis | Workflow planned for GA; not implemented in the private beta. | Roadmap (not in beta) |
| Art. 12 | Cross-border transfer | Today, documents and briefs are stored with Supabase outside KSA (Singapore region), and inference runs outside KSA via the Lovable AI Gateway and Google Gemini. In-Kingdom hosting is on the roadmap. | Roadmap (not in beta) |
| Art. 13 | Notification of breach | Informal email notification to design partners. Formal 72-hour notification process planned for GA. | In design |
| Art. 21 | Data subject rights | DSR workflow is on the roadmap. Manual handling via email during the beta. | Roadmap (not in beta) |
| Art. 25 | Records of processing (ROPA) | Will be generated from the server-side audit log once that ships. | Roadmap (not in beta) |
| Art. 31 | Data Protection Officer | A named DPO and contact channel will be appointed before GA. | Roadmap (not in beta) |
| Art. 33 | DPIA for high-risk processing | DPIA template is planned for executive-grade workspaces. | Roadmap (not in beta) |
NDMO standards mapping
Data Classification Policy
Four-tier classification labels (Public / Restricted / Confidential / Secret) are rendered in the UI today. Server-side enforcement is on the roadmap.
Data Catalog & Metadata
Live: per-document metadata (name, type, size, classification, processing status) is persisted in the workspace.
Data Quality Management
Live: every generated brief includes paragraph-level citations and confidence indicators. Reviewer sign-off is a UI preview only, not yet a server-side workflow.
Data Architecture & Modelling
Partial: each workspace's data is logically isolated with Postgres row-level security. Dedicated single-tenant deployments are planned.
Personal Data Protection
Planned. PII detection and a DSR workflow are on the roadmap.
Open Data
Out of scope for the private beta.
Data subject rights — interim process
During the private beta, DSR requests are handled by email. The in-app workflow and a formal SLA are planned for GA.
- 1
Request received
During the beta, submit a request via the contact form.
- 2
Identity verified
Out-of-band confirmation with the workspace owner.
- 3
Scope assessed
We confirm the request type (access, correction, erasure, portability).
- 4
Action executed
Data exported, corrected, or deleted to the extent the current beta permits.
- 5
Response delivered
Email confirmation. A formal in-app workflow with an SLA is planned for GA.
Data handling & retention (today)
- Persistence. Documents you upload and the briefs generated from them are stored in our Supabase-hosted database and private file storage (currently in the Singapore region) until you delete them.
- Deletion. Deleting a document permanently removes the stored file, the document record, and every brief and brief version generated from it. There is no recycle bin.
- AI processing. Document text is sent to Google Gemini via the Lovable AI Gateway only to generate the brief you request; per the gateway's processor terms it is not used for model training.
- Not yet built. Configurable retention windows, automatic expiry, and export controls are planned for GA.
Contacts
- Security & DSR — via the contact form
A dedicated, monitored security mailbox and a named DPO will be published before general availability. Until then, the contact form is the reliable channel.
Become a design partner