Governance as a first-class feature.
ARIA is built for KSA's regulatory expectations — not retrofitted to them. Every surface, every mutation, every promotion window is designed to be auditable, reversible, and explainable to the DPO, the regulator, and the end user.
PDPL-aligned
Consent, retention, and DSAR handling that matches SDAIA's register.
- Lawful basis documented per processing purpose (consent, contract, legal obligation)
- Explicit consent per purpose — advisory, marketing, SMS, WhatsApp, cookies split
- IP truncation to /24 (IPv4) and /48 (IPv6) on all consent records
- Append-only consent ledger — withdrawals never mutate the original grant row
- Active DSAR tooling: export, rectification, erasure request, portability
- DPO contact published in platform business-config; pass-through to institutional tenants
Encryption + audit
Defense in depth — from column to claim.
Transport
TLS 1.3 everywhere. HSTS preload candidate. Cloudflare in front of AWS ALB with WAF managed rulesets.
Credentials at rest
pgcrypto column encryption in Preview/Beta (ADR 0015). AWS Secrets Manager with KMS envelope in Live.
Audit chain
Every mutation writes an audit event; events are hash-chained (ADR 0005) so tampering is detectable by anyone with read access.
Data residency
Primary DB + backups in AWS me-south-1 (Bahrain). Cross-border transfers only to documented sub-processors with executed DPAs.
Progressive Go-Live
Three app modes, enforced in code.
The app refuses promotion until every regulatory, security, and operational gate closes. Preview, Beta, and Live are runtime states — not environments — and every promotion writes a hash-chained audit event that the DPO can verify.
Preview
All stub/sandbox providers. Seeded data only. Invite-code signup off. Dummy-markers visible on every business-config field.
Beta
Real KYC, SMS, payments sandboxes. Invite-code signup on. Beta cohort sees real data; seeded tenants preserved for demo.
Live
All providers live. Public signup on aria.sa. SAMA/CMA opinion in hand; ZATCA e-invoicing certified. Seeded rows auto-purged.
Implementation: packages/config/app-mode. See ADR 0013 for the promotion decision model.
Incident posture
If something goes wrong, you'll hear from us first.
On-call via PagerDuty from Live onwards. SEV-1 notifications to tenant admins inside 4 hours of confirmation. SDAIA breach notifications within the 72-hour PDPL requirement. Public post-mortems on the status page for any customer-facing incident.
SEV-1 — customer-facing outage
4h tenant-admin notification · status page updated every 30m · post-mortem within 7 days
SEV-2 — degraded feature
24h tenant-admin notification · status page updated daily · remediation ETA published
SEV-3 — scoped bug
Tracked in issue queue · resolved on release cadence · release notes summarize fix
DPO, counsel, or reviewer?
We can share our PIA draft, sub-processor list, cross-border assessment, and retention schedule under NDA. Reply via your tenant admin contact and we'll send the current pack.