Trust & compliance

Data Residency

Last updated: [effective date] · How and where PropertFlow hosts and processes data.

Data residency is foundational to PropertFlow — designed in from the first record, not retro-fitted. This page explains where your data lives, how we treat data that must cross a border, and how we align with the Kingdom’s requirements.

صُمّم خصّيصاً للمملكة العربية السعودية

Our commitment

We build PropertFlow so that the personal data your organisation entrusts to the platform is hosted and processed inside the Kingdom of Saudi Arabia, consistent with the Personal Data Protection Law (PDPL) and its Implementing Regulations.

Verify before publishing. Only state in-Kingdom hosting as a present fact once it is actually in place. If full in-Kingdom hosting is still being rolled out, describe it as our committed roadmap with a target date rather than as current state.

Where your data is hosted

Production data for the PropertFlow platform is hosted with [hosting provider / cloud] in [data-centre region — e.g. AWS Middle East (Riyadh)], located within the Kingdom of Saudi Arabia. This includes [databases, file storage, backups, and audit logs].

Our public marketing website (propertflow.com) and the enquiries submitted through it are processed using AWS in the [AWS region, e.g. Middle East (Bahrain)] region. See our Privacy Policy for what we collect on the website.

What stays in the Kingdom

Customer and tenant records, contracts and documents;
Primary databases and the backups taken from them;
Audit and activity logs;
[any other categories you commit to keeping in-Kingdom].

Cross-border processing

Where any processing must take place outside the Kingdom — for example, a specific sub-processor service — we keep it to the minimum necessary, apply safeguards consistent with the PDPL, and disclose it in the sub-processor list below. [List any current cross-border processing, or state “none” if all processing is in-Kingdom.]

Sub-processors

We use a limited set of vetted service providers under data-protection terms. Our current sub-processors include:

Amazon Web Services (AWS) — cloud hosting and the form-handling function, in the [region(s)] region(s);
Resend — delivery of contact-form emails (processed outside the Kingdom — disclose and safeguard under PDPL);
[any other sub-processors — analytics, support tooling, etc.].

We maintain an up-to-date list and will make material changes available to customers as set out in their agreement.

AI features

Where PropertFlow offers AI-assisted features (such as the in-app copilot), [describe exactly how AI requests are handled — e.g. processed within the Kingdom, the model provider used, whether customer personal data is sent to it, and any customer opt-out].

Verify before publishing. Describe AI data flows precisely and truthfully — this is a sensitive area for PDPL and for customer trust. Do not imply on-shore AI processing unless that is genuinely the case, and document any opt-out.

Access and sovereignty

Access to production data is restricted to authorised personnel on a need-to-know basis, protected by authentication and access controls, and logged. [Describe any restrictions on who may access data and from where, e.g. support-access controls.]

Certifications and compliance

PropertFlow aligns its practices with the PDPL and applicable Saudi regulations. [List only certifications or attestations you actually hold — e.g. ISO 27001 — or remove this section until certified.]

Do not over-claim. Never list a certification, standard, or regulatory approval you have not obtained.

Changes

We may update this statement as our infrastructure and the regulatory landscape evolve. The “last updated” date above shows the current version.

Questions

For details about data residency for your organisation, please reach us via our contact form.