The misreading that distorts SAP architecture decisions
Ask around any KSA transformation program and you will hear the same assumption: the Personal Data Protection Law is a data-localization law, so every SAP workload must sit on Saudi soil. That assumption drives real money — duplicated landscapes, deferred cloud moves, over-scoped residency requirements. And it is not what the law says. The PDPL is a permit-with-conditions transfer regime: it permits, rather than prohibits, cross-border transfers when conditions are met, and no absolute localization mandate exists under the PDPL itself. Getting that distinction right is the difference between architecting for the actual law and architecting for a rumor of it.
The law, precisely
The PDPL came into force on 14 September 2023, with a one-year grace period ending 14 September 2024. Its reach is broad: it applies to any processing of personal data taking place in the Kingdom, and to processing of KSA residents’ data by entities outside the Kingdom — extraterritorial, in the GDPR mold. Data subjects hold rights to be informed, to access their data and obtain a copy, to request correction, and to request destruction.
What Article 29 actually says about transfers
Cross-border transfer is governed by Article 29 of the law together with SDAIA’s Regulation on Personal Data Transfer Outside the Kingdom. The conditions, per specialist legal analysis of the regime: the transfer must not prejudice national security or the Kingdom’s vital interests; the recipient jurisdiction must afford an adequate level of protection; and the transfer must respect data minimization.
Where the recipient jurisdiction is not adequate, transfers require appropriate safeguards: SDAIA Standard Contractual Clauses (“Saudi SCCs”), Binding Common Rules for intra-group transfers, or a certificate of accreditation from an approved body. Before transferring, controllers must run a transfer risk assessment covering purpose and legal basis, the nature and geographical scope of processing, safeguards, recipient adequacy, and minimization.
One practical gap to plan around: SDAIA has not published its list of adequate jurisdictions, so advisers default to EU-adequate jurisdictions in the interim. For an SAP landscape, that means every cross-border interface — support access, analytics replication, shared services — needs a documented lawful transfer path now, on safeguards, not a wait for an adequacy list.
The audit controls your SAP program must evidence
Three controls recur in PDPL compliance reviews, and all three have direct SAP-landscape implications:
- Breach notification: controllers must notify SDAIA within 72 hours of becoming aware of a personal data breach — which presumes monitoring and incident routing across your SAP estate that can actually detect and escalate within that window.
- Records of processing: controllers must maintain records of processing activities — purposes, data categories, recipients, cross-border transfers, retention — available to SDAIA. An SAP landscape with undocumented interfaces cannot produce this.
- Data Protection Officer: required for public entities, large-scale processing, systematic monitoring, or sensitive-data processing, with registration on the National Data Governance Platform.
The in-Kingdom map, precisely
Here is where imprecision costs the most, so let us be exact about what runs in Saudi Arabia today — and what does not.
- AWS `me-south-1` is Bahrain, not Saudi Arabia. AWS’s own regions table lists me-south-1 as Middle East (Bahrain) — a separate country, and for PDPL purposes a cross-border destination. Workloads there do not satisfy an in-Kingdom requirement.
- AWS’s Saudi region is announced, not confirmed live. AWS announced in March 2024 that it will launch an infrastructure Region in Saudi Arabia in 2026, investing more than USD 5.3 billion; at the time of writing, AWS’s own pages still describe the Saudi region as planned rather than listing it as available. Treat third-party “it’s live” claims with caution until AWS’s primary pages say so.
- Google Cloud’s Dammam region is live — opened 15 November 2023, with controls supporting security, data residency and local regulatory compliance.
- Microsoft’s Azure Saudi region is expected, not live: as of Microsoft’s December 2024 update, construction was complete on three sites with availability expected in 2026.
And for SAP specifically: the confirmed in-Kingdom hosting evidence points to Google Cloud. Saudia adopted RISE with SAP on Google Cloud with mission-critical data hosted in-Kingdom to align with the Kingdom’s data sovereignty goals, and Saudi Arabia’s public-sector SAP Business Network deployment is hosted on Google Cloud in Saudi Arabia, allowing government buyers to store data in-country while transacting globally, compliant with national data residency and cybersecurity regulations (CCC-2020). We found no primary source tying SAP’s older 2018 Riyadh data center to RISE hosting — if in-Kingdom RISE is on your requirements list, the substrate to validate with SAP today is Google Cloud’s Dammam region.
What this means for your architecture decisions
Start from the data, not the slogan. Classify what personal data your SAP landscape processes and where it flows; most estates discover their genuine residency-sensitive footprint is narrower than assumed. For data that stays, in-Kingdom options exist today and are widening through 2026 as more hyperscaler regions come online — sequence your roadmap against confirmed availability, not announcements. For data that legitimately leaves — global support models, group consolidation, shared analytics — build the Article 29 path deliberately: safeguards in contracts, transfer risk assessments on file, minimization designed into interfaces. And evidence the controls: 72-hour breach capability, records of processing, a registered DPO where required.
The PDPL does not ask you to lock every byte inside the Kingdom; it asks you to know what leaves, why, and under what protection. Firms that read the law precisely will run leaner architectures — and pass audits — while their competitors pay for residency the regulator never demanded.