Skip to content
سراج | Siraj
Legal & Compliance

Data Processing Agreement

Last updated: July 1, 2026

1. Parties

This Data Processing Agreement (DPA) is entered into between Siraj (the "Processor") and the organization or individual agreeing to these terms (the "Controller"). Both parties agree to comply with their respective obligations under the Saudi Personal Data Protection Law (PDPL) and other applicable data protection regulations.

2. Scope

This DPA governs the processing of personal data by Siraj on behalf of the Controller in connection with the Controller's use of the Siraj platform. It applies to all processing activities carried out by Siraj, including but not limited to recruitment services, e-learning, and AI-powered features.

3. Data Processing Details

Types of Personal Data

Names, contact details, professional history, educational records, CVs, identification numbers, and any other data provided by the Controller or data subjects through the platform.

Purpose of Processing

Facilitating job matching, course delivery, account management, platform improvement, and compliance with legal obligations.

Duration of Processing

For the duration of the Controller's use of the platform plus a retention period as required by Saudi law, unless earlier deletion is requested.

4. Data Controller vs Processor

The Controller determines the purposes and means of data processing and retains ownership of the data. The Processor acts only on documented instructions from the Controller. Siraj processes personal data solely for the purposes specified in this DPA and the applicable terms of service. The Controller is responsible for ensuring they have a lawful basis for processing.

5. Security Measures

Siraj implements appropriate technical and organizational security measures including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Access controls based on the principle of least privilege
  • Regular security audits and penetration testing
  • Employee training on data protection and confidentiality
  • Incident response and disaster recovery procedures

6. Subprocessing

The Controller authorizes Siraj to engage subprocessors to assist in providing platform services. Siraj will maintain an up-to-date list of subprocessors and notify the Controller of any changes. All subprocessors are bound by written agreements with data protection obligations no less stringent than those in this DPA.

7. Data Subject Rights

Siraj shall assist the Controller in fulfilling their obligations to respond to data subject requests under the PDPL, including rights of access, correction, deletion, portability, and objection. The Controller must notify Siraj of any data subject request within a reasonable timeframe. Siraj will respond to such requests within the statutory time limits.

8. International Transfers

Personal data may be stored and processed in Saudi Arabia or in jurisdictions that the Saudi Data & AI Authority (SDAIA) has deemed to have adequate data protection standards. Any transfer of data outside of Saudi Arabia will be governed by appropriate safeguards as required by the PDPL.

9. Breach Notification

Siraj shall notify the Controller without undue delay, and no later than 48 hours after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remedial measures taken or proposed.

10. Compliance with Saudi PDPL

Both parties acknowledge their obligations under the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree M/148. The Processor shall maintain records of processing activities, conduct data protection impact assessments where required, and designate a Data Protection Officer in compliance with PDPL requirements.

11. Term & Termination

This DPA shall remain in effect for as long as the Controller uses Siraj's services. Upon termination, Siraj shall, at the Controller's direction, delete or return all personal data within 30 days, unless retention is required by Saudi law. The provisions of this DPA that by their nature should survive termination shall remain in effect.