Skip to main content
Security & Compliance

Security & Compliance

We treat your data the way we treat capital — multiple layers of protection, independent audits, and a full auditable log of every operation. This page is updated continuously and reviewed by our legal and security teams.

Last updated · 27 April 2026
Certifications and accreditations

The framework we operate within

ISO/IEC 27001

Internationally certified Information Security Management System with annual third-party review. Certificate details available on request for enterprise procurement.

PDPL compliant

Saudi Personal Data Protection Law (Royal Decree M/19) — all processing, storage, and sharing follows its requirements, including data-subject rights.

ARAMCO CCC certified

Aramco Cybersecurity Compliance Certificate (CCC) — enables direct supply to the Aramco ecosystem under their extended security requirements.

99.99% SLA

Year-round guaranteed availability, with independent monitoring and automatic credits in any drop. Full SLA details in your service contract.

Data sovereignty

Your data is hosted within Saudi Arabia, and is not moved outside except by your explicit written consent and only for agreed-upon purposes.

Full audit log

Every operation on the platform — issue, transfer, redeem, balance change — is recorded immediately in an immutable log, exportable for review.

FAQ

What risk teams typically ask

  • Yes. Our DPA is available on contract signing and covers all PDPL and standard SCC requirements. To get a copy before signing, contact the sales team via our Contact page.
  • All production data is hosted within Saudi Arabia on certified cloud infrastructure. It is not transferred outside the Kingdom except with written permission and for specific purposes set out in your service contract.
  • Role-based access control (RBAC) for every user and operation, single sign-on via SAML/OIDC, and enforced two-factor authentication on all administration consoles.
  • Yes. We welcome responsible security researchers. To report a vulnerability, send a detailed report to security@resal.me — the team responds within 48 business hours.
  • We have a 24/7 incident response team and a documented process: containment within one hour, forensic investigation, customer notification within 72 hours per PDPL, and a published post-incident review for affected customers.
  • Yes. Annual independent penetration tests on infrastructure and APIs, plus weekly automated scans. A summary of the latest test is available to customers on request under NDA.
For risk and compliance teams

Need detailed documentation to complete a vendor assessment?

Our security team responds within one business day to requests for DPA, SOC reports, penetration-test summaries, sub-processor list, or any compliance documentation your team needs.

Talk to our team