system-prompts-and-models-of-ai-tools/docs/governance/saudi-compliance-and-ai-governance.md

# Saudi compliance & AI governance register (design-time)

**Not legal advice.** This is an engineering **readiness register** for building Dealix as a **Tier-1** operating system in KSA/GCC. Legal review remains required for production claims and customer contracts.

**Canonical trust model:** [trust-fabric.md](trust-fabric.md). **Product legal texts:** [`salesflow-saas/docs/legal/`](../../salesflow-saas/docs/legal/).

---

## 1. PDPL / personal data (design checklist)

When processing data that may identify individuals in the Kingdom:

- **Inventory** data categories, purposes, lawful basis, retention, subprocessors, and cross-border transfers (if any).
- **Minimize** collection; default deny for exports and bulk analytics on personal fields.
- **Consent and notices** aligned with product copy ([`salesflow-saas/docs/legal/consent-policy-ar.md`](../../salesflow-saas/docs/legal/consent-policy-ar.md), privacy / data protection docs).
- **AI-specific:** training, enrichment, search, scoring, messaging, and **logs** can all be processing — classify sensitivity (S0–S3) per [approval-policy.md](approval-policy.md) and route S2/S3 away from unreviewed third-party models/tools.
- **Subject rights / export:** define operational runbooks before offering enterprise SLAs.

**References (external):** Saudi PDPL / SDAIA knowledge center and official guidance — verify current text with counsel.

---

## 2. NCA cybersecurity posture (readiness, not certification)

Design so the platform **can** align with **ECC** and related cloud/data controls (**DCC**, **CCC**) as the customer tier demands:

- Asset inventory, patch cadence, access control, logging, incident response hooks.
- **Segregation** of prod/staging; break-glass for admin; audit streaming for long retention (pair with [github-and-release.md](github-and-release.md) audit notes).

**References (external):** NCA published controls and updates (e.g. ECC 2-2024 track) — map controls to features in an ADR when pursuing attestation.

---

## 3. AI governance (NIST + OWASP)

Use as a **risk and testing** frame for agentic features:

| Frame | Use in Dealix |
|-------|----------------|
| **NIST AI RMF** | Govern, map, measure, manage — tie to release gates and evidence packs |
| **NIST Generative AI profile** | Supplement for LLM-specific risks |
| **OWASP Top 10 for LLM Apps** | Prompt injection, insecure output handling, excessive agency, sensitive disclosure — explicit test cases in CI where feasible |

Pair with [trust-fabric.md](trust-fabric.md): red-team workflows, structured output validation, tool allowlists, and rollback plans for Class B / R2+.

**References (external):** NIST publications portal; OWASP LLM Top 10 and GenAI security project pages.

---

## 4. Arabic-first execution (product, not theme)

Beyond RTL UI:

- Arabic **classification** and **summaries** for internal notes where policy allows.
- **Partner memos** and **notification templates** with terminology normalization (sector-specific).
- **Retrieval quality** for Arabic queries (embedding model + chunking + evaluation).
- **Trust cues** in UX (support, compliance, local expectations).

See [design-and-arabic.md](design-and-arabic.md).

---

## 5. Review cadence

- **Quarterly:** re-read this register against shipped features and incident postmortems.  
- **Per major release:** update PDPL/NCA mapping appendix when product surface area changes.

See also: [technology-radar-tier1.md](technology-radar-tier1.md), [`../execution-matrix-90d-tier1.md`](../execution-matrix-90d-tier1.md).