Projex Labs was founded in Saudi Arabia and built from day one to operate inside the PDPL / NCA / SDAIA / SFDA perimeter. We are literate with SAMA, CMA, ZATCA, and every authority our customers answer to. We are not retrofitting compliance onto cloud-first architecture — we designed the architecture around compliance.
The principles
Our default deployment posture is in-kingdom. Hakeem (clinical AI) runs on hospital-premise edge nodes — zero data leaves the building. Gov-facing ventures are architected for in-kingdom data planes by default.
We speak PDPL, NCA, SDAIA, SFDA, SAMA, CMA, ZATCA natively. Our business-rule layer (BR-004) requires every product to name the exact regulatory framework it operates under.
Our product cores are open source. Independent auditors, security researchers, and government review teams can read the code. Trust that can be inspected is trust that scales.
We stay with what we build. Our equity model means we don't ship-and-leave. Long-horizon stewardship is priced into the engagement, not tacked on.
Frameworks we operate under
Saudi Arabia's comprehensive data protection regime. Every Projex Labs product is architected to keep personal data in-kingdom and enforce lawful-basis processing by default.
Saudi Arabia's cybersecurity regulator for critical infrastructure. Our posture is NCA-aligned on identity, authentication, logging, and incident response.
The governing authority for national AI strategy and sovereign-AI procurement. We design for sovereign-AI preference, not against it.
Regulator for medical devices and clinical AI. Hakeem is on the SFDA medical-device regulatory pathway by design.
Rabbit (payments) is designed to align with SAMA on settlement and CMA on where capital-markets touch-points exist, and ZATCA on e-invoicing.
IKTVA local-content scoring (up to 30% procurement uplift) and RHQ rule favor Saudi-HQ builders. Projex Labs is structurally eligible.
Compliance Posture
Every venture and product we build is designed from day one to operate within the regulatory boundaries our customers answer to. These are not badges earned by audit — they are architectural commitments made before a line of code is written.
Royal Decree M/149. Saudi personal data stays in Saudi. Cross-border transfer rules baked into architecture.
Essential Cybersecurity Controls (ECC) + Cloud Cybersecurity Controls (CCC). Not retrofitted — designed-in.
National Data Management Office (NDMO) standards and AI ethics framework. Our ventures ship aligned with the national data governance posture.
For fintech and payments ventures (e.g. Rabbit): SAMA sandbox alignment + anti-fraud + AML/KYC by construction.
For health ventures (e.g. Hakeem): SFDA registration pathway + clinical data handling aligned with PDPL + pharmacovigilance-aware.
For commercial ventures: ZATCA e-invoicing (Fatoora) compliance baked into every B2B transaction.
Trust Center
Because sovereignty is designed-in, not audited-in, we maintain artefacts available on request — not locked behind an enterprise sales motion.
Every sovereignty + compliance decision is traced to an ADR visible on request.
For every venture: where data lives, how it moves, who can access it, how long it stays.
NCA-aligned IR procedures, publicly readable structure, on-request specifics.
Every change traceable to a UC. Every UC traceable to a business rule. No black boxes.