Data Security Policy

This Data Security Policy outlines the principles, procedures, and controls implemented by Tawasul Communications (“Tawasul”, “we”, “us”, “our”) to ensure the confidentiality, integrity, and availability of all personal and organizational data processed or stored by the company. It is intended to support compliance with applicable laws and regulations, including the Saudi Personal Data Protection Law (PDPL) and other cybersecurity directives within the Kingdom of Saudi Arabia.

This policy applies to:

• All employees, contractors, and authorized third parties accessing Tawasul’s data or information systems
• All data, systems, platforms, and applications owned, controlled, or processed by Tawasul
• All forms of data (digital, physical, cloud-hosted, or on-premise)
   

All data handled by Tawasul is classified into the following categories:

• Public Data: Can be freely disclosed without ri
• Internal Data: Business-related data limited to internal use
• Confidential Data: Includes personal data, client data, or proprietary information
• Restricted Data: Highly sensitive data requiring special handling (e.g. health, biometric, financial data)
   

• Executive Management: Ensures sufficient resources and oversight for data security
• IT & Security Teams: Implement, maintain, and monitor security controls
• Employees & Contractors: Required to follow all data security practices
• Data Protection Officer (DPO): Oversees data governance and compliance with PDPL
   

• Access to systems and data is restricted based on user roles and business need
• Multi-factor authentication (MFA) is enforced for critical systems
• User accounts are reviewed periodically and deactivated if no longer required
   

• All personal and sensitive data is encrypted at rest and in transit using industry-standard encryption protocols (e.g. AES-256, TLS 1.2+)
• Secure data disposal practices are implemented for both physical and digital data
   

• Firewalls, intrusion detection and prevention systems (IDS/IPS), and anti-malware tools are deployed and regularly updated
• All servers and endpoints are monitored for unusual activity and vulnerabilities
   

• Access to Tawasul’s facilities is restricted and monitored
• Server rooms and data centers are secured with access control and surveillance systems
   

• Cloud providers are selected based on security certifications (e.g. ISO 27001, SOC 2)
• Vendor risk assessments and contractual Data Processing Agreements (DPAs) are mandatory
   

In the event of a data breach or suspected compromise:

• Immediate containment and investigation procedures will be triggered
• The Saudi Data & Artificial Intelligence Authority (SDAIA) will be notified without undue delay if the breach involves personal data
• Affected data subjects will be informed where required by law
   

All staff are required to:

• Complete mandatory security and data protection training annually
• Acknowledge their understanding of Tawasul’s data security responsibilities
• Report any suspicious behavior or incidents to the Security or Compliance team
   

• Regular internal and external audits are conducted to verify the effectiveness of our security controls
   
• Tawasul maintains full records of data processing and safeguards, in accordance with PDPL Article 29 and related regulatory guidance
   

Violations of this policy may result in disciplinary action, up to and including termination of employment or contract. Legal action may also be taken in cases of negligence or intentional harm

This policy is reviewed annually or upon any significant change to our operations, legal requirements, or information systems. Updates will be approved by executive management and communicated to all stakeholders.