Go to your dashboardPlatform Admin
Go to your dashboard
Estardatاسترداد

Legal note: The Arabic version of this document is the legally binding version.

PDPL & data residency

Last updated: 1 January 2026 · v1.0

1. PDPL summary

Estardat is committed to compliance with the Kingdom of Saudi Arabia's Personal Data Protection Law (PDPL). This page summarises our practical commitments; the full Privacy Notice applies in detail.

2. KSA-only data residency

All personal and operational data is stored only within the Kingdom of Saudi Arabia, on AWS Riyadh (me-central-1), including all backups and disaster-recovery copies. Cross-border transfers are not used for production data.

3. SAMA alignment

Estardat aligns its payment, settlement and operational controls with the regulatory expectations of the Saudi Central Bank (SAMA).

4. Nafath verification

Debtor identity is verified through Nafath before sensitive actions (e.g. accessing case details, making a payment over a threshold, entering a negotiation, or changing contact information).

5. Lawful basis

Processing relies on legitimate interests for marketplace operation, contractual necessity with each party, and legal obligations for record-keeping. Sensitive operations require explicit verification.

6. Data-subject rights

Access, correction, deletion (subject to retention obligations), restriction of processing, and the right to lodge a complaint with the competent authority.

7. Data Protection Officer

Data Protection Officer: dpo@estardat.sa

Related documents

Terms of servicePrivacyPDPL