Since Saudi Arabia’s PDPL reached full enforcement in September 2024, every SaaS evaluation in the Kingdom has a new standard clause: “send us your DPA.” The Data Processing Agreement has quietly become the single most-read document in procurement. Most vendors have one; not all of them hold up to the eight questions every KSA buyer should be asking.
Why the DPA matters under PDPL
Under PDPL, the buyer is a data controller and the SaaS vendor is a data processor. Articles 10 and 11 require a written contract between the two that specifies the scope of processing, the retention period, the security controls, and the respective responsibilities for data-subject rights. That contract is the DPA. A missing or weak DPA is a controller-side violation, not just a vendor problem — which is why buyers are suddenly so careful.
The eight questions
1. Does your DPA reference PDPL by article number?
A compliant DPA names PDPL Articles 10, 11, 18, 22. A non-compliant DPA mentions GDPR and hopes for the best. Red flag — “we comply with major global data protection laws” without naming PDPL.
2. Where is production data stored today, and when does that change?
Acceptable answers: “Singapore now, Dammam by Q3 2026” (our answer), “Frankfurt, no planned change,” “Riyadh, always.” Red flag — “multiple regions, auto-balanced” without specifics.
3. Who are your sub-processors, and how are changes communicated?
Every sub-processor should be listed publicly on a page the buyer can bookmark, with a commitment to notify in writing 30 days before any change. Red flag — “listed on request” or “available under NDA.”
4. What is your breach notification window, and from which event does it start?
72 hours from awareness, not from “confirmation” or “investigation completion,” matches PDPL’s spirit. Red flag — “as soon as reasonably practical” with no numeric window.
5. How is data-subject access / erasure exposed?
API endpoint, dashboard button, and an emailed request path — ideally all three. Red flag — “email support@ and we’ll process within 30 days” as the only channel.
6. Is encryption at rest and in transit standard?
TLS 1.2+ in transit and AES-256 at rest is the 2026 baseline. Key-management practices should be documented. Red flag — “encryption available on enterprise tier.”
7. How long is data retained after contract termination?
A clear number (e.g. 30 days) with an optional faster-deletion path on written request. Red flag — “retention period varies” or indefinite default.
8. Can you sign a DPA addendum referencing KSA law specifically?
A “yes, here’s the pre-drafted addendum” is ideal. “Yes, negotiated case by case” is acceptable. “Our global DPA is sufficient” without PDPL reference is a red flag.
What a compliant DPA looks like, in practice
It’s typically 8–14 pages. It names the controller, the processor, the categories of data and data subjects, the processing purpose, the retention period, sub-processors (with a link to the live list), security controls (annexed), the breach procedure, and the mechanism for exercising data-subject rights. If the document is under 5 pages, it’s probably a privacy-policy cosplay.