This document summarises SPM Consultants' regulatory compliance posture across four domains relevant to GCC government and enterprise procurement: NCA cybersecurity alignment, PDPL data protection, Saudi-hosted infrastructure, and SDLC software quality assurance.
The National Cybersecurity Authority (NCA) mandates ECC-1:2018 compliance for all Saudi government entities and organisations operating on government networks. SPM Consultants designs its platform architecture to be fully aligned with NCA ECC requirements. Architecture designed to support NCA ECC-1:2018 control domains. Data classification and access controls enforced at platform layer. Immutable security event audit trail supporting NCA logging requirements. Infrastructure physically located within the Kingdom of Saudi Arabia. Procurement note: Saudi government agencies and state-linked enterprises must procure from vendors whose infrastructure meets NCA standards. SPM Consultants' infrastructure is hosted within the Kingdom of Saudi Arabia.
Saudi Arabia's PDPL (enforced September 2023) imposes strict obligations on personal data collection, processing, storage, and cross-border transfer. SPM Consultants is designed to support every PDPL obligation — built into the platform architecture, not merely stated as policy. Data Residency: all personal and enterprise data stored on private cloud infrastructure physically located in Saudi Arabia. No data crosses the border without explicit authorisation. Purpose Limitation: data collected for performance management cannot be repurposed without a new documented consent basis. Subject Rights: PDPL right-to-access, right-to-rectify, and right-to-delete workflows are built into administrative tooling. NDMO Alignment: technical and procedural controls aligned with National Data Management Office standards. Breach Notification: monitoring designed to detect, contain, and document incidents within PDPL's 72-hour regulator notification requirement.
SPM Consultants operates exclusively on private cloud infrastructure physically located within the Kingdom of Saudi Arabia. This is enforced at the infrastructure layer — not a configuration option. Data location: Kingdom of Saudi Arabia — enforced by architecture. Infrastructure type: private cloud (dedicated tenancy). Cross-border transfer: none — requires explicit client authorisation. Data sovereignty: full — no shared or public cloud paths. Security documentation available on request.
Regulatory compliance depends on software quality and reliability, not only data residency. SPM Consultants follows a layered Software Development Life Cycle (SDLC) with mandatory quality assurance gates at every phase: (1) Requirements & Security Review — data protection and cybersecurity requirements documented as explicit acceptance criteria before any feature enters development. (2) Secure Development Practices — OWASP Secure Coding Guidelines, mandatory security code reviews, dependency vulnerability audits before every release. (3) Automated & Manual Testing — unit, integration, and end-to-end test suites; automated vulnerability scanning before every release. (4) Staged Deployment & Rollback — all changes deploy to a staging environment mirroring production; automated smoke tests gate promotion. (5) Continuous Monitoring & Incident Response — continuous production monitoring with automated alerting; immutable audit trail for all security events.
Contact SPM Consultants for a full compliance documentation pack: info@nvocs.com