Loading…
Trust · SDAIA
SDAIA AI Ethics Principles establish the Kingdom of Saudi Arabia's expectations for responsible AI development and deployment, covering fairness, privacy and security, humanity, social and environmental benefit, reliability and safety, transparency and explainability, and accountability. The KSA Personal Data Protection Law (PDPL) layers binding privacy obligations on top.
What it is, what it covers
AI engagements with KSA-domiciled organizations operate under two related but distinct frames: SDAIA's AI Ethics Principles (a values-and-governance framework) and the Personal Data Protection Law (a binding privacy regulation, effective September 2024). Both apply to AI systems that handle personal data of KSA residents, regardless of where the system is hosted.
Prosigns engineers AI systems for KSA organizations with both frames as architectural constraints. The Doha office (Prosigns Middle East operations) leads regional engagements with on-the-ground familiarity with KSA enterprise procurement and regulator expectations. Documentation of model governance, bias evaluation, and explainability artifacts is produced concurrently with engineering and retained per PDPL documentation requirements.
We do not substitute for your data protection officer (DPO) or your AI ethics committee. We engineer the systems they govern, and we produce the artifacts they need to discharge their obligations.
Scope
SDAIA's AI Ethics Principles apply to AI systems developed or deployed in KSA. PDPL applies to processing of personal data of KSA residents regardless of processor location, with cross-border transfer restrictions and named-DPO requirements above defined thresholds. Engagements with KSA AI deliverables are scoped against both frames from the first architecture review.
Engineering controls
Prosigns engineering practices that produce SDAIA-aligned evidence as a side-effect of normal delivery. Each control carries a specific reference where applicable.
Each production AI system goes through a documented ethics review covering the seven SDAIA principles: fairness, privacy and security, humanity, social/environmental benefit, reliability and safety, transparency and explainability, accountability. Review outcomes are retained per the engagement's documentation policy.
SDAIA AI Ethics Principles (2023)
AI systems serving KSA populations are evaluated for performance disparities across relevant strata before deployment. Ground-truth datasets are stratified; performance metrics are reported per stratum; deployment is contingent on the stratified results meeting the engagement's fairness floor.
SDAIA Fairness principle
AI systems making impact decisions (credit, claims, hiring, healthcare triage) produce per-decision explainability artifacts: input features used, model output, confidence, and the human review path where applicable. Citizens have actionable visibility into decisions affecting them; explainability is operational, not aspirational.
SDAIA Transparency and explainability principle
Personal data of KSA residents is processed with documented lawful bases. Cross-border transfers comply with PDPL transfer mechanisms (consent, regulator approval, or limited-purpose exceptions). Region-aware data residency is enforced architecturally, not just policy-stated.
Personal Data Protection Law (PDPL), effective September 2024
Engagements processing personal data of KSA residents above PDPL's named-DPO threshold operate with a designated data protection officer in the engagement structure. The DPO sign-off is retained on processing decisions; the DPO has direct escalation to the institution's executive sponsor.
PDPL Article 32 (Data Protection Officer)
Healthcare-impact, financial-impact, and citizen-rights-impact decisions require human review before action — never autonomous. The review path is documented; reviewer identity is captured; review SLAs are operationalized.
SDAIA Humanity and Reliability principles
User-facing AI systems serving KSA populations support Arabic in addition to English. Tokenization, retrieval, and evaluation harnesses are tested on Arabic content; responses preserve appropriate register and dialectal expectations. We don't ship English-only systems into Arabic-first contexts.
Model lifecycle is documented from training-data sourcing through deployment, monitoring, and retraining. Retraining triggers are explicit (drift thresholds, performance degradation, regulatory change). Lifecycle records are retained per PDPL documentation requirements.
SDAIA Reliability and Safety principle
Honest posture
Prosigns engineers AI systems for KSA organizations aligned to SDAIA AI Ethics Principles and PDPL with the Doha office leading regional engagements. We are not a SDAIA-certified entity; on engagements with KSA AI deliverables, we coordinate with your DPO and AI ethics committee and produce documentation in the form they expect.
Audit pack contents
Engagement-scoped to the SDAIA deliverable. Available on request under NDA, same business day for procurement and InfoSec review.
Where it applies
Saudi banks, insurers, and capital markets firms with SAMA oversight and SDAIA AI considerations.
Open the industrySaudi hospitals and Vision 2030 health-transformation programs with patient-data flows.
Open the industryKSA public-sector and Vision 2030 programs with AI-supported citizen services.
Open the industryServices we deliver
Production AI systems for KSA organizations with documented ethics review and PDPL-aligned data handling.
Open the practiceAgentic systems with explainability artifacts, human-in-the-loop on impact decisions, and Arabic / English bilingual support.
Open the practiceRisk, fraud, and forecasting models with bias evaluation and SAMA-aware governance for financial-services workloads.
Open the practiceFrequently asked
Not currently. SDAIA's AI Ethics Principles are a values-and-governance framework rather than a certification regime. Specific sectors (financial services under SAMA, health under MOH) layer additional sectoral expectations. We engineer AI systems aligned to SDAIA principles by default; sector-specific requirements are scoped per engagement.
PDPL restricts transfer of personal data of KSA residents outside the Kingdom unless one of several mechanisms applies: explicit consent for the specific transfer, regulator approval, or one of the limited-purpose exceptions in the law. We design KSA AI architectures with data-residency boundaries in-region by default and document any cross-border flow with the applicable transfer mechanism.
Yes. Tokenization, retrieval, and evaluation harnesses are tested on Arabic content. We work with both proprietary frontier models that support Arabic (Claude, GPT-4-class, Gemini) and KSA-aligned open models where available. Responses preserve register and dialectal expectations; transliteration and code-switching cases are tested.
The Doha office is Prosigns Middle East operations and leads GCC engagements including KSA. Senior engineers travel to KSA for kickoff, architecture review, and go-live; bilingual stakeholder coverage is handled from Doha. PDPL-aligned data handling on engagement components is engineered to keep processing in-region as a default; cross-border decisions are explicit and documented.
Saudi Central Bank (SAMA) has its own model risk management and AI governance expectations layered on top of SDAIA principles for financial-services AI. We engineer to the strictest applicable standard per control — typically that means SAMA's model governance plus SDAIA's ethics review plus PDPL's data handling — and document the cross-mapping so a single engagement presents coherent evidence to all relevant supervisors.
It depends on the data and the consent mechanism. Personal data of KSA residents leaving the Kingdom requires a PDPL transfer mechanism. Aggregated, de-identified, or synthetic data — when the de-identification is robust under PDPL's standard — typically falls outside the regulated scope. We document the data classification at architecture review; the answer drives the deployment topology.
Related regulators
U.S. Department of Health & Human Services (HHS)
HIPAA / HITECH Engineering for Healthcare Workloads
Open the pageBoard of Governors of the Federal Reserve System; OCC Bulletin 2011-12 (parallel guidance)
Federal Reserve SR 11-7 Model Risk Management for ML Systems
Open the pageNew York State Department of Financial Services (DFS)
NYDFS 23 NYCRR 500 Cybersecurity for Financial Institutions
Open the pageTalk to us
CITADEL co-pilots every regulated engagement. Senior engineer plus department lead joins the first call. Audit pack on the same business day.