What is a Saudi PDPL-compliant surveillance platform?

Why PDPL changed the surveillance procurement bar

PDPL applies to any processing of personal data of individuals in Saudi Arabia, regardless of where the controller sits, with full enforcement since September 2024. Surveillance video almost always qualifies — faces, vehicle registrations, behaviour patterns are personal data, and biometric identifiers (face recognition, gait) are sensitive personal data attracting tighter rules.

What PDPL requires of a surveillance platform

• In-Kingdom storage by default — cross-border transfer needs SDAIA authorisation or fits a narrow exception list.
• Lawful basis — typically legitimate interest or compliance with a Saudi legal obligation; consent for biometric features.
• Data minimisation — collect only what the purpose requires; mask the rest.
• Retention limits — purpose-bound; delete promptly when no longer needed.
• Security controls — encryption, access management, integrity protection.
• Breach notification — 72-hour notice to SDAIA where there is risk to rights.
• Records of processing — controllers must maintain a register.
• Data subject rights — access, correction, deletion, objection within statutory windows.

VMukti's Saudi-deployable topology

VMukti Cloud VMS deploys into a sovereign Saudi region with Kingdom-resident storage and processing, customer-managed encryption keys, role-based access control with MFA, immutable audit logs, AES-256 encryption at rest, TLS 1.3 in transit, and built-in redaction tooling for handling subject-access requests. The platform supports both Arabic and English interfaces for command-centre operations.

Procurement checklist

Confirm with any bidder: (1) location of primary and backup storage, (2) the SDAIA notification status, (3) DPO appointment evidence, (4) breach-response runbook, (5) approach to biometric features and consent, (6) Arabic-language operator UI, (7) cross-border data-handling for cloud telemetry and support access.