Trust and compliance
KPILoop Trust Center
Last updated: 19 May 2026
We treat KPI data the way our customers would treat their own performance reviews — quietly, with discipline, and behind locked doors. This page tells you exactly where that data lives, who handles it, and what compliance work we are doing as we grow.
For our broader privacy commitments, read the Privacy Policy. For GDPR-specific obligations, see our GDPR Notice.
1. Current compliance status
We are pre-launch and building toward formal certification on a phased plan. Here is where we stand today, without hedging:
- PDPL (Saudi Arabia)In progress
We are aligning data handling, breach response, and data-subject request workflows with the Saudi Personal Data Protection Law, with internal readiness targeted for Q3 2026.
- GDPRReady
Our processing notices, lawful basis mapping, and data-subject rights workflows are in place. See our GDPR Notice for full details.
- SOC 2 Type IOn roadmap
Audit scoping is underway with a Type I report targeted within 6–9 months of revenue stabilizing. SOC 2 Type II will follow after the Type I window closes.
- ISO 27001Post-revenue
Scoped for a future phase, after Type II. We are not certified today and will not claim otherwise.
- PCI DSSOut of scope (SAQ A)
Card data is handled entirely by Moyasar. KPILoop never sees or stores cardholder data, which keeps us in PCI SAQ A scope only.
2. Certification timeline
Here is the dated schedule we are working to. We publish dates so we can be held to them, not because every milestone is guaranteed — we will update this page if scope or sequencing changes.
- PDPL readiness (Saudi Arabia)December 2026
Internal PDPL alignment complete: data handling, breach response, and data-subject request workflows in production. DPO appointed and SDAIA registration filed where required.
- GDPR DPA and SCCsQ1 2027
Standard Data Processing Addendum and Standard Contractual Clauses published for EU customers. Transfer impact assessment documented for nam5 hosting.
- SOC 2 Type I kickoffQ2 2027
Audit scoping with a recognized CPA firm via Sprinto or Secureframe. Controls implemented across security, availability, and confidentiality trust services criteria.
- SOC 2 Type I reportQ3 2027
Type I report issued and made available under NDA to qualified prospects and customers.
- Middle East region evaluationQ4 2027
Decision on whether to migrate Firestore from nam5 to a Middle East region based on customer demand and PDPL residency pressure. Migration scoping if green-lit.
- SOC 2 Type II observation windowQ1 2028
Begin the minimum six-month observation period required for a Type II report. No claim of Type II compliance during this window.
- SOC 2 Type II reportQ3 2028
Type II report issued, covering the full observation window. Available under NDA.
- ISO 27001 readinessQ4 2028
ISMS scoped, risk assessment complete, Statement of Applicability drafted. Certification audit scheduled for 2029 if business need confirms.
3. Data residency and hosting
KPILoop runs on Google Cloud via Firebase. Our primary Firestore database is in the nam5 multi-region (United States). Cloud Functions execute in the same region. Static assets are served by Firebase Hosting from Google's global CDN.
We have evaluated migrating our Firestore instance to a Middle East region to support customers with strict residency requirements. That migration is scoped on the roadmap but not scheduled. Customers with hard residency requirements should contact us before signing.
4. Saudi Arabia — PDPL commitments
KPILoop is a Saudi company serving Saudi customers. We treat the Personal Data Protection Law (PDPL) as a first-class obligation, not an afterthought. Here is exactly where we stand and where we know we have work to do:
- Lawful basis and notice
We collect personal data on the basis of contract performance (operating your KPI account), legitimate interest (security, fraud prevention, service improvement), and explicit consent (analytics cookies, marketing). Bilingual privacy notices in Arabic and English are published before signup, not buried after.
- Data-subject rights in Arabic
Access, correction, deletion, and objection requests are fully supported in Arabic. The in-product DSR flow and the privacy@kpiloop.com inbox both respond in the language the request was filed in. We do not require Arabic speakers to switch to English to exercise their rights.
- Cross-border transfer disclosure
Our primary data store and AI inference are in the United States (Firestore nam5 and Vertex AI us-central1). This is a cross-border transfer under PDPL and we disclose it openly. Customers with residency-bound data should evaluate this before signing — see section 3.
- Breach notification
We commit to notifying affected customers within 72 hours of confirming a personal data breach that creates a material risk to individuals, with parallel notification to SDAIA where required by PDPL.
- DPO and SDAIA registration
A data protection officer will be appointed and SDAIA registration filed where required as part of our December 2026 PDPL readiness milestone (see section 2). Until then, privacy@kpiloop.com is the named contact for all PDPL matters.
5. Sub-processors
We use a short, deliberate list of sub-processors. Each one is contractually bound to handle personal data only on our instructions and to maintain appropriate security controls.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Google Cloud (Firebase) | Database, authentication, storage, hosting, serverless functions | United States (nam5) |
| Google Cloud (Genkit / Gemini) | AI-assisted KPI suggestions, performance insights, review drafting | United States |
| Moyasar | Payment processing and subscription billing | Kingdom of Saudi Arabia |
| Sentry | Error monitoring and performance telemetry | United States |
We will notify customers of material changes to this list with at least 30 days' notice prior to onboarding any new sub-processor.
To receive sub-processor change notifications by email, subscribe at privacy@kpiloop.com — we will add you to the notification list and confirm.
6. AI processing and opt-out
KPILoop uses Gemini (via Google Genkit) for KPI suggestions, performance insights, risk prediction, and review drafting. When you use these features, the relevant KPI or review content is sent to Gemini for inference.
We do not use your data to train foundation models. Per-organization opt-out from AI features will be available in the admin console; if you need it sooner, contact us and we will disable AI flows at the organization level.
7. Security controls
Our current security posture includes:
- HTTPS-only delivery with HSTS and a strict Content Security Policy enforced via Firebase Hosting.
- Firebase Authentication with custom-claim role-based access control for admin, manager, employee, and executive roles.
- Firestore security rules enforced server-side, scoped per organization, with no client-side bypass.
- Encryption at rest and in transit provided by Google Cloud infrastructure.
- Sentry-based error monitoring with PII-scrubbing applied before transmission.
- Code review on all changes; no direct pushes to production branches.
8. Reporting and contact
Report a security vulnerability or compliance concern to security@kpiloop.com. We respond to verified reports within two business days.
For privacy and data-subject requests, contact privacy@kpiloop.com.
See also: Privacy Policy · GDPR Notice · Terms of Service.