Governance as a first-class feature.
ARIA is built for KSA's regulatory expectations — not retrofitted to them. Every surface, every mutation, every promotion window is designed to be auditable, reversible, and explainable to the DPO, the regulator, and the end user.
PDPL-Aligned
Consent, retention, and DSAR handling that matches SDAIA's register.
PDPL Articles 9–15 are wired into the platform. Consent is recorded per purpose with timestamps and IP truncation. Withdrawal is one click. DSAR intake lives at /legal/data-rights and is a single server action away from an auditable intake record.
Lawful basis documented per processing purpose (consent, contract, legal obligation).
Explicit consent per purpose — advisory, marketing, SMS, WhatsApp, cookies split.
IP truncation to /24 (IPv4) and /48 (IPv6) on all consent records.
Append-only consent ledger — withdrawals never mutate the original grant row.
Active DSAR tooling: export, rectification, erasure request, portability.
DPO contact published in platform business-config; pass-through to institutional tenants.
Public DSAR intake at /legal/data-rights — no account needed to file a request.
Encryption + Audit
Defense in depth — from column to claim.
Transport
TLS 1.3 everywhere. HSTS preload candidate. Cloudflare in front of AWS ALB with WAF managed rulesets.
Credentials at rest
Column-level encryption in demo and pilot workspaces. AWS Secrets Manager with KMS envelope in production.
Audit trail
Every material change creates an audit event; evidence is tamper-evident for authorized reviewers.
Data residency
Primary DB + backups in AWS me-south-1 (Bahrain). Cross-border transfers only to documented sub-processors with executed DPAs.
Identity
Nafath for Saudis. OTP for everyone. 2FA where it matters.
Nafath KYC
Saudi national ID + Iqama (10-digit) → Nafath mobile-app approval → signed-in. Demo access code is available for presenter-led walkthroughs.
Email-OTP
6-digit code, 10-minute TTL. Resend logic with abuse limits. Demo mode shows the code in-app for walkthroughs.
2FA (TOTP)
Mandatory for institutional accounts (admin + IC roles). Optional for consumer accounts. Backup codes generated on enrollment.
Regulator Posture
Reading where it matters; writing only where authorised.
SAMA
Saudi Central Bank. ARIA carries an "informational" or "advisory" posture per tenant business-config. Advisory only after a signed addendum.
REGA
Real Estate General Authority. Read-mode adapter for ownership and zoning data.
Wafi
Off-plan sales regulator. Read-mode adapter for escrow milestone tracking.
SIMAH
Saudi Credit Bureau. Pre-approval flow for mortgage tier (B2C Pro+).
ZATCA
Tax authority. E-invoicing compliant in production.
Progressive Go-Live
Three readiness states, enforced by controls.
The platform refuses promotion until every regulatory, security, and operational gate closes. Client demo, Pilot, and Production states are controlled releases, and every promotion creates a tamper-evident governance event that the DPO can verify.
Simulated providers + sample data
Simulated integrations and sample data for guided walkthroughs. Commercial signup remains closed until the account is approved.
Real KYC + sandboxes
Real KYC, SMS, and payment sandboxes for selected tenants. Pilot users see their own data while sample workspaces remain available for demos.
All providers live
All providers live. Public signup on aria.sa. SAMA / CMA opinion in hand; ZATCA e-invoicing certified. Sample rows are removed from production workspaces.
Controls: readiness gates · Promotion model available during diligence.
Incident Posture
If something goes wrong, you'll hear from us first.
On-call via PagerDuty from Live onwards. SEV-1 notifications to tenant admins inside 4 hours of confirmation. SDAIA breach notifications within the 72-hour PDPL requirement. Public post-mortems on the status page for any customer-facing incident.
SEV-1 — customer-facing outage
4h tenant-admin notification · status page updated every 30m · post-mortem within 7 days.
SEV-2 — degraded feature
24h tenant-admin notification · status page updated daily · remediation ETA published.
SEV-3 — scoped bug
Tracked in issue queue · resolved on release cadence · release notes summarize fix.
DPO, Counsel, or Reviewer
DPO, counsel, or reviewer?
We can share our PIA draft, sub-processor list, cross-border assessment, and retention schedule under NDA. Reply via your tenant admin contact and we'll send the current pack.