This Data Protection Statement sets out the framework by which Takween Technologies handles personal data and client data in the course of delivering our services across the Kingdom of Saudi Arabia. It complements our Privacy Policy and should be read together with it. Our approach is grounded in the Personal Data Protection Law of the Kingdom of Saudi Arabia ("PDPL"), its Implementing Regulations, and the guidance issued by the Saudi Data & Artificial Intelligence Authority ("SDAIA"), the National Data Management Office ("NDMO"), and the National Cybersecurity Authority ("NCA").
We treat personal data and client data as a trust. Our deployments often operate in settings where even small lapses carry outsized consequences, including high-demand public venues, data centre environments, and programs of institutional importance. Data protection is embedded in how we engineer and operate, not bolted on afterwards.
Data protection responsibilities are formally assigned at the leadership level. A named Data Protection contact oversees policy, incident response, and regulatory engagement. Decisions affecting personal data at scale, including cross-border transfers and the introduction of new processing activities, are reviewed before implementation.
Where we process personal data of individuals in the Kingdom, we operate in alignment with PDPL requirements on storage, transfer, and access. Client data generated in the Kingdom is hosted within the Kingdom wherever the engagement requires it, and cross-border transfers follow the mechanisms permitted under the Implementing Regulations.
We process personal data only where we have a lawful basis under the PDPL, and only the data needed for the specific, declared purpose. We do not repurpose personal data beyond the original intent without fresh lawful basis.
Our deployments favour non-biometric, privacy-preserving technologies wherever operationally feasible. Where we deploy sensors or video analytics, we prefer pattern- and count-based signals over identity-level data. Where identity-level data is processed under a client mandate, we apply access controls, audit trails, and retention windows commensurate with the sensitivity of the information.
We apply technical and organisational controls aligned with the Essential Cybersecurity Controls ("ECC") published by the NCA, including access management, encryption in transit and at rest where applicable, vulnerability management, logging and monitoring, and periodic third-party review. Security measures are calibrated to the sensitivity of the environment and reviewed regularly.
Where we engage sub-processors or technology partners, we do so under written agreements that flow down our data protection obligations, restrict the use of data to the declared purpose, and require equivalent security standards. A list of sub-processors used in a given engagement is made available to clients on request.
We maintain an incident response procedure covering detection, containment, assessment, notification, and recovery. Where a data breach occurs that meets the notification thresholds under the PDPL, we notify the competent Saudi authority and affected individuals within the required timeframes.
Where we act as a data controller, we facilitate the exercise of rights under the PDPL, including rights of access, correction, and deletion. Where we act as a processor on behalf of a client, we support the client in responding to requests from data subjects.
Retention periods are defined per data category and per engagement, aligned with the purposes of processing and any applicable regulatory obligations. At the end of the retention period, personal data is securely deleted or irreversibly anonymised.
For data protection enquiries, including data subject requests, please contact otman@takweentechnologies.com.