إنتقل إلى المحتوى الرئيسي

🇸🇦 Data Residency

A non-negotiable compliance constraint of the Saudi Personal Data Protection Law (PDPL) is data sovereignty. All personal, financial, and operational records must remain physically stored and processed inside the Kingdom of Saudi Arabia.

1. Zero Cross-Border Transfer Guarantee

BayanCore's cloud infrastructure prevents any outbound transaction data flow:

  • Closed-Loop System: We do not utilize external SaaS platforms or public API services (e.g. US-based LLM APIs, external analytics, or global CDN loggers) that process data outside KSA boundaries.
  • Encrypted Domestic Backups: System database backups and document storage are replicated strictly between regional OCI hubs within the Kingdom.
  • AI Inference Boundaries: Our retrieval pipeline (RAG) and GPU inference models (such as Llama-3) run entirely on local OCI compute shapes inside Riyadh data centers. No text embeddings or customer invoices are transferred to foreign AI APIs.

2. Local Cloud Regions (OCI ap-riyadh-1 & ap-jeddah-1)

BayanCore relies on Oracle Cloud Infrastructure (OCI) KSA nodes to manage regional high availability and disaster recovery:

[OCI Riyadh Region (ap-riyadh-1)] ──(Async DB Replication)──> [OCI Jeddah Region (ap-jeddah-1)]
     (Primary Workload)                                              (Disaster Recovery)

Primary Node (Riyadh - ap-riyadh-1)

  • Hosts active production Kubernetes clusters (OKE), relational databases (MariaDB), search indexes (OpenSearch), and cache pools (Redis).
  • All web traffic routes through the OCI Web Application Firewall (WAF) deployed at edge locations in Riyadh.

DR Node (Jeddah - ap-jeddah-1)

  • Maintains passive container replicas and hot standby databases.
  • Database Sync: Production databases execute asynchronous block replication to the Jeddah node hourly.
  • Object Replication: Documents uploaded to OCI Object Storage in Riyadh are synced to Jeddah automatically.

3. Sovereign Infrastructure Audits

To prove compliance to regulatory auditors (SDAIA, CST, NCA):

  • Local Traffic Isolation: OCI Virtual Cloud Network (VCN) route tables programmatically block outbound traffic to IP addresses outside Saudi Arabia.
  • Security Logs: Audit trails log the geographical endpoints of all administrative access (bastion SSH sessions and developer logons), ensuring only local operators manage the core infrastructure.
  • Third-Party Audits: System configurations are audited annually by certified local security firms to maintain Class C cloud service classification under CST guidelines.