Privacy Policy

Last Updated: February 7, 2026

Introduction

ArabAudit ("we," "our," or "us") is committed to protecting the privacy and security of your information. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our AI-powered audit compliance platform.

As a Saudi-native platform serving organizations subject to NCA ECC-2024, SAMA CSF, and PDPL regulations, we understand the critical importance of data protection and regulatory compliance.

Information We Collect

We collect information that you provide directly to us, as well as information automatically collected when you use our platform:

Account Information: Name, email address, organization details, role, and contact information
Audit Evidence: Documents, log files, screenshots, configurations, and other evidence you upload for compliance analysis
Technical Data: IP addresses, browser type, device information, and usage patterns
Communication Data: Messages, support requests, and feedback you provide
Framework Selections: Your chosen regulatory frameworks (NCA, SAMA, PDPL) and compliance requirements

How We Use Your Information

We use the information we collect to provide, maintain, and improve our services:

AI Analysis: Process your evidence through our AI engine to validate compliance against NCA, SAMA, and PDPL requirements
Regulatory Export: Generate official audit-ready reports and regulatory export templates
Platform Operation: Provide access to dashboards, control mappings, and compliance tracking
Communication: Send service updates, security alerts, and support responses
Improvement: Analyze usage patterns to enhance platform functionality and user experience
Security: Detect and prevent fraudulent activity, security breaches, and unauthorized access

Data Processing and AI

Our AI engine processes your audit evidence to provide deep technical validation. This includes:

Reading and analyzing uploaded documents, log files, and configurations
Mapping evidence to specific NCA, SAMA, and PDPL control requirements
Identifying compliance gaps and non-compliant configurations
Generating recommendations and actionable remediation steps

Your evidence data is processed securely and used solely for your compliance analysis. We do not use your proprietary evidence to train our AI models or share it with other customers.

Data Storage and Security

We implement industry-leading security measures to protect your information:

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access controls and multi-factor authentication
Data Residency: Saudi-based data storage options available for Kingdom-specific requirements
Audit Trails: Comprehensive logging of all access and modifications
Regular Security Audits: Ongoing security assessments and penetration testing
Compliance: Our infrastructure meets NCA, SAMA, and PDPL security standards

Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

Service Providers: Trusted third-party vendors who assist in platform operations (cloud hosting, analytics) under strict confidentiality agreements
Legal Requirements: When required by Saudi Arabian law, regulatory authorities, or valid legal processes
Business Transfers: In connection with mergers, acquisitions, or asset sales (with advance notice)
With Your Consent: When you explicitly authorize us to share specific information

Your Rights and Choices

Under PDPL and applicable Saudi regulations, you have the following rights:

Access: Request access to your personal information and audit evidence
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your information (subject to legal retention requirements)
Export: Download your data in portable formats
Objection: Object to certain processing activities
Withdrawal: Withdraw consent for optional data processing

To exercise these rights, please contact us at kauser@velocrux.com. We will respond within the timeframes required by Saudi law.

Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

Active Accounts: Data retained while your account is active
Audit Evidence: Retained according to regulatory requirements (typically 3-7 years for financial/critical infrastructure sectors)
Legal Compliance: Extended retention when required by SAMA, NCA, or other Saudi authorities
Deletion Requests: Honored within 30 days, except where retention is legally required

International Data Transfers

While we prioritize Saudi-based data storage, some service providers may process data outside the Kingdom. When this occurs:

We ensure adequate protection through contractual safeguards
We comply with PDPL cross-border transfer requirements
We provide transparency about data locations upon request
We offer Saudi-only data residency options for sensitive organizations

Cookies and Tracking

We use cookies and similar technologies to enhance platform functionality:

Essential Cookies: Required for platform operation and security
Analytics: Usage patterns to improve user experience (anonymized)
Preferences: Remember your language and dashboard settings

You can control cookies through your browser settings, though this may affect platform functionality.

Children's Privacy

Our platform is designed for business use and is not intended for individuals under 18 years of age. We do not knowingly collect information from children.

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent platform notices at least 30 days before the changes take effect.

Questions or Concerns?

For privacy-related inquiries, data subject requests, or security concerns, please contact our Data Protection Officer:

kauser@velocrux.com