How we protect customer data, who has access to what, where data lives, and how to report security issues. We list only the controls we actually run in production.
Every claim below maps to a configuration we operate in production — not a roadmap item.
Customer data resides in the Kingdom of Saudi Arabia on a SanadAIs-owned origin host. Our edge in Paris terminates TLS for app.sanadwa.com and api.sanadwa.com and forwards each request over an authenticated tunnel to the KSA origin — it does not persist customer data on its disk. Edge access logs are scrubbed of paths, request bodies, and response bodies.
All public traffic is terminated at our Caddy reverse proxy with TLS 1.2+ and modern cipher suites. HTTP requests are redirected to HTTPS. The hop from the edge in Paris to the KSA origin runs over an authenticated SSH tunnel — never plain TCP.
User passwords are hashed with bcrypt. We never store, log, or transmit plaintext passwords. Password reset is handled via a one-time link.
Every workspace has three roles — owner, admin, and operator — with progressively narrower permissions. The API enforces role checks on every protected endpoint.
Operator actions and system events emit structured JSON logs to disk with stable schemas. Sensitive fields (tokens, message bodies) are redacted at the logger.
Every API endpoint filters database queries by the session tenant ID. One workspace cannot read or write another workspace data.
Where we stand on data-protection regimes today. We err on the side of honesty — uncertified means uncertified.
Compliance work is underway. We have structured data flows to align with PDPL controller and processor responsibilities, and customer data is stored in the Kingdom of Saudi Arabia in production. We have not yet undergone formal PDPL certification.
We honor GDPR data subject rights — access, deletion, and portability — by extension of our PDPL compliance approach. Requests can be sent to the security inbox below.
If you believe you have found a vulnerability or a security incident affecting SanadWA, email admin@sanadais.com.
You can request deletion of your account and associated data at any time. Follow the steps on our data deletion page.