Compliance

Built for organizations that need AI to operate within clear rules.Edrak is designed to support enterprise AI adoption within a structured legal, regulatory, and governance framework. That includes clear contractual commitments, controlled data handling, security measures, and product design choices intended to help customers meet internal and external compliance requirements.
Compliance at a glance
Designed for regulated environmentsEdrak is built to support organizations that need visibility, control, and accountable use of AI.
Saudi-first legal alignmentEdrak is designed with the legal and regulatory context of the Kingdom of Saudi Arabia in mind, including local data handling expectations and hosting needs.
Contract-backed commitmentsCustomer protections are supported through contractual documents, including service terms, privacy and data handling commitments, and related enterprise documentation.
Governance by designEdrak provides administrative controls, access management, and workspace-level visibility to support internal compliance and policy enforcement.
Enterprise diligence supportFor customers with review requirements, Edrak can provide compliance-related documentation under appropriate confidentiality controls.
Our compliance approachCompliance at Edrak is approached as an operating discipline, not a badge.We focus on four things:
Clear legal structureOur customer relationships are governed through written terms that define data ownership, permitted use, security commitments, restrictions, and responsibilities.
Controlled data handlingCustomer data is processed only as needed to provide, secure, support, and administer the service. It is not used to train Edrak models or third-party AI models.
Support for internal governanceEdrak gives organizations the tools to manage access, monitor usage, and apply internal policies in a structured way.
Regional and enterprise readinessEdrak is designed for customers operating in Saudi Arabia and beyond, with a default hosting position in Saudi Arabia unless otherwise agreed.
Legal and contractual frameworkEdrak's compliance model is supported through formal customer documentation.Depending on the engagement, that may include:
  • Master Services Agreement
  • Order Form
  • Statement of Work
  • Data Processing Addendum
  • Security Exhibit
  • Service Level Agreement
  • Privacy and Data Governance documentation
These documents are intended to define the legal and operational framework for the service, including data handling, confidentiality, security, use restrictions, and dispute resolution.Data protection and privacy alignmentEdrak is designed to align with applicable data protection expectations and enterprise privacy requirements.This includes:
  • Customer ownership of customer data
  • No model training on customer data or outputs
  • Limited processing rights tied to service delivery and support
  • Retention and deletion rules defined through contract and service design
  • Controls around third-party provider routing
  • Security measures intended to protect against unauthorized access, disclosure, alteration, or destruction
Customers remain responsible for determining whether their own use of Edrak complies with the laws and regulations applicable to their business, industry, and jurisdictions.Security and control environmentCompliance depends in part on whether the platform gives customers meaningful control.Edrak is designed to support that through:
  • Role-based access controls
  • Workspace-level segregation
  • Encryption in transit and at rest
  • Logging and monitoring
  • Administrative visibility into usage and activity
  • Subprocessor controls through written obligations
  • Incident notification processes for confirmed security incidents affecting customer data processed by Edrak
These controls help customers operate AI within a more governed environment rather than through fragmented, unmanaged usage.Acceptable use and platform boundariesCompliance also requires clear boundaries around how the platform may be used.Edrak's terms and policies restrict misuse, including use of the platform to:
  • Conduct unlawful or harmful activity
  • Facilitate malware, phishing, spam, or credential theft
  • Circumvent safeguards or access controls
  • Violate sanctions, export controls, or other applicable restrictions
  • Reverse engineer, replicate, or develop competing AI systems through unauthorized use of the service
Where misuse is identified or creates legal, security, or operational risk, Edrak may restrict, suspend, or terminate access in line with its contractual framework.Data residency and regional considerationsUnless otherwise agreed, Edrak's default hosting position is Saudi Arabia, subject to operational availability. Alternative hosting locations may be available depending on customer requirements, applicable law, and service configuration.For organizations with specific data localization, cross-border transfer, or sector-specific requirements, Edrak can discuss available deployment and contractual options as part of the enterprise review process.Third-party providers and subprocessorsEdrak supports access to selected third-party AI providers through its platform.Where those integrations are used:
  • Customer data may be transmitted to the relevant provider only to provide the requested functionality
  • Edrak acts as the intermediary platform layer
  • Third-party providers may remain subject to their own technical and service limitations
  • Edrak uses subprocessors as needed to provide the service and remains responsible for their performance under its customer commitments
  • Written obligations are imposed relating to confidentiality, security, and data protection, consistent with the nature of the service
Standards and regulatory positioningEdrak is designed to align with applicable Saudi data protection requirements and enterprise security expectations. Its documentation also references international best-practice concepts, including SOC 2 principles and GDPR-aligned concepts where relevant.We are careful in how we describe this.Edrak may be designed with reference to recognized standards or frameworks, but customers should not infer a certification, accreditation, or regulatory approval unless Edrak expressly states that it has been achieved.That distinction matters, and we think serious enterprise customers appreciate that level of precision.Shared responsibilityCompliance is shared.Edrak is responsible for:
  • Operating the service within its documented contractual and policy framework
  • Implementing platform safeguards and controls
  • Maintaining documentation relevant to enterprise diligence
  • Supporting customers with reasonable compliance-related information requests
Customers are responsible for:
  • Determining whether Edrak is suitable for their own legal, regulatory, and internal policy requirements
  • Configuring access and governance within their workspace
  • Ensuring they have the rights and legal basis to submit data to the service
  • Reviewing outputs before relying on them in high-impact contexts
  • Managing their own obligations under laws, regulations, and internal policies
That is the right model for enterprise AI. The platform provides structure and controls. The customer remains accountable for its own use.Documentation and enterprise reviewFor customers with procurement, legal, risk, or compliance review processes, Edrak may provide relevant documentation under appropriate confidentiality controls.Available materials may include:
  • Master Services Agreement
  • Privacy and Data Governance documentation
  • Data processing terms
  • Security documentation
  • Subprocessor information
  • Responses to reasonable diligence questionnaires
ContactFor compliance, legal, or enterprise diligence requests:compliance@edrak.com