Compliance

FI Tech operates as both a controller (for our own commercial relationships) and a processor (for customer-tenant data) under Royal Decree M/19 of 9/2/1443H and SDAIA's implementing regulations.

Data subject rights

• Right to be informed about processing purposes and legal bases
• Right of access to a copy of personal data
• Right to rectification of inaccurate data
• Right to destruction of personal data when no longer required
• Requests handled within 30 days; submit via dpo@fitechco.com

Cross-border transfer

• Default residency is the Kingdom of Saudi Arabia
• Cross-border transfers occur only when permitted by PDPL and on the basis of customer instructions, adequacy, or executed safeguards
• See Data Residency for the per-category breakdown

Breach notification

• SDAIA notification timelines and customer notification commitments documented in our incident runbook
• 24-hour initial customer notification target for confirmed personal data breaches

FI Tech contributes to Vision 2030 themes through:

• A Thriving Economy — local AI capability, KSA-resident model artifacts, and Saudi engineering talent
• An Ambitious Nation — measurable safety and productivity gains for energy, construction, and smart-city programs
• Localization — IKTVA-eligible procurement support and KSA-anchored deployment options

Our AI systems align with the SDAIA AI Ethics Principles (fairness, privacy and security, humanity, social and environmental benefits, reliability and safety, transparency and explainability, accountability and responsibility).

• Documented model cards for production detection models
• Bias and performance evaluation on representative regional data
• Human-in-the-loop review available for high-stakes decisions (e.g., safety alerts)
• Customer-controlled opt-in for any use of telemetry in model improvement

FI Tech aligns its control set with the National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1:2018 and subsequent revisions). Implementation is reviewed annually and exercised as part of penetration testing and tabletop drills.

• Cybersecurity governance, risk management, and asset management
• Identity and access management, system and network security
• Cryptography, backup and recovery, vulnerability and patch management
• Cybersecurity event logs, incident management, and third-party security

In progress Formal NCA-ECC self-assessment package available to enterprise prospects under NDA.

Path FI Tech is on a documented path to ISO/IEC 27001:2022 certification. Stage 1 audit is targeted for 2026; Stage 2 and certification are targeted for 2027. We are happy to share interim Statement of Applicability (SoA) and gap-assessment outcomes with enterprise customers under NDA.

Path A SOC 2 Type I report is on the 2027 roadmap, with Type II to follow. This is sequenced after ISO/IEC 27001 to minimize duplicate evidence collection.

For customers established in the European Economic Area, FI Tech offers a GDPR-aligned Data Processing Addendum (DPA) including Standard Contractual Clauses for any processing outside the EEA.

• EU regional hosting available on request (see Data Residency)
• Sub-processor list maintained at /trust/sub-processors/
• Data subject requests: dpo@fitechco.com

The DPO function is reachable at dpo@fitechco.com. Postal correspondence may be sent to:

Future Intelligence Tech
Attn: Data Protection Officer
Maliha, Qurtubah District
Riyadh 13245, Kingdom of Saudi Arabia