Security & data residency

Sovereign by design.
Global by choice — never by accident.

Σigmix runs on the strongest cloud regions inside the Kingdom — Oracle, Google, Huawei and Alibaba — with a hard line between KSA‑Sovereign workloads that never leave the country and a Global tier you opt into, per tenant, with eyes open. Here is exactly where your data lives and how we keep it that way.

Talk to sales Enterprise deployments

In‑Kingdom data residency PDPL & SAMA aware Encrypted at rest & in transit RLS + app‑level isolation

The line that does not move

KSA‑Sovereign and Global are strictly separated.

This is the heart of how Σigmix is built. A sovereign workload and a global workload never share an inference endpoint, a region, or a data path. Which side a tool runs on is a deliberate choice — made per tenant, never silently.

KSA‑Sovereign

Everything stays inside the Kingdom.

For workloads that must be resident: prompts, outputs, files and inference all stay on in‑Kingdom infrastructure. Nothing crosses the border — by architecture, not by promise.

Examples: KSA Sovereign Gen‑AI on Cohere Command A at OCI Riyadh · KSA‑resident Meetings on self‑hosted LiveKit · sovereign storage and Postgres in‑region.

Inference on in‑Kingdom endpoints only
Data at rest stays in a KSA region
No fall‑through to a non‑resident provider

Global

Frontier capability, opted into explicitly.

When a tenant chooses reach over residency, the Global tier routes to frontier models and global infrastructure. It is clearly labelled as non‑resident — chosen on purpose, with the trade‑off stated up front.

Examples: frontier general‑purpose models for the Global Gen‑AI tier · Global Meetings on Cloudflare · best‑in‑class capability where residency is not required.

Explicitly marked non‑resident in the product
Per‑tenant opt‑in, never a default
Same isolation, billing and audit guarantees

No silent crossing between the two

Where Σigmix runs

Four world‑class clouds — with Saudi regions.

We deploy on Oracle Cloud, Google Cloud, Huawei Cloud and Alibaba Cloud — each chosen for a strength, and each with infrastructure inside the Kingdom so sovereign workloads have somewhere strong to live.

OCI

Oracle Cloud

me‑riyadh‑1 · Riyadh

Our sovereign anchor. The KSA region hosts in‑Kingdom inference — KSA Sovereign Gen‑AI runs on Cohere Command A served from OCI Riyadh, so sovereign prompts never leave the country.

Sovereign GenAI inference
Dedicated regions
Confidential compute
SOC / ISO programmes

GCP

Google Cloud

me‑central2 · Dammam

The platform‑core home. Cloud SQL Postgres and core services run in the Dammam region behind a load balancer — in‑Kingdom by default, with Google’s data‑residency and CMEK controls.

Cloud SQL Postgres
Data residency & CMEK
Global load balancing
SOC 2 / ISO 27001

Huawei Cloud

Riyadh KSA region

A second in‑Kingdom landing zone. Huawei’s Saudi region gives sovereign workloads diversified, locally‑operated compute and storage — useful for resilience and for tenants who require it.

In‑Kingdom region
Local operations
GPU compute
Resilience & diversity

ALI

Alibaba Cloud

Saudi Arabia region

Added reach inside the Kingdom. Alibaba’s Saudi region broadens our in‑Kingdom inference and capacity options, so we can place a sovereign workload on the provider that fits it best.

KSA region inference
Scalable capacity
OpenAI‑compatible routes
Compliance programmes

How we keep it that way

The controls behind the promise.

Residency is the headline — but it only holds because of the controls under it. These are part of the platform, enforced on every request and every surface.

Data residency

Sovereign data is pinned to a KSA region at rest and in flight — compute, Postgres and object storage all in‑Kingdom.

Postgres + storage in‑region
Inference never leaves the Kingdom
Region is a deliberate, recorded choice

Tenant isolation

Every tenant is fenced at two layers at once — there is no path that bypasses both.

Postgres Row‑Level Security policies
Application‑level company filtering
Per‑transaction tenant context, non‑superuser roles

Encryption

Strong encryption is on by default in both directions, with customer‑managed keys available for dedicated deployments.

AES‑256 at rest across data and backups
TLS in transit on every connection
Customer‑managed keys (BYOK) on dedicated

Credential handling

Provider keys never sit in plaintext. They are encrypted at rest and rotatable from the admin console without redeploying.

Encrypted provider credentials, never in code
Admin‑rotatable; revoked keys rejected at the broker
Everything behind adapters — no hardcoded endpoints

Compliance posture

Built to meet Saudi regulation head‑on — PDPL for personal data, SAMA‑aware for the financial pieces, ZATCA for invoicing.

PDPL‑aligned data handling & scrubbable PII
SAMA‑aware credit & billing model
ZATCA‑compliant bilingual tax invoicing

Audit & spend controls

Every action and money event is logged, and hard caps and rate limits apply identically on every surface — no backdoors.

Full, exportable audit trail
Caps & limits identical on web, API and MCP
No reservation, no metered work — ever

Your call, per tenant

You choose residency. Per tenant, in the open.

Some companies must stay sovereign for everything; others want frontier capability where the data allows it. Σigmix doesn’t decide for you — each tenant picks the tier, the choice is visible in the product, and a sovereign tool never quietly falls through to a global one.

Per‑tenant residency selection

KSA‑Sovereign tierAll data and inference stay inside the Kingdom. In‑Kingdom

Global tierFrontier models & global infra — non‑resident, opted into. Non‑resident

Dedicated sovereign hostingSingle‑tenant in‑Kingdom environment with BYOK. Enterprise

world‑class clouds, all with KSA regions

isolation layers — RLS and application‑level

100%

in‑Kingdom for sovereign workloads

silent crossings between sovereign & global

Run AI on your terms — sovereign or global.

Tell us your residency bar and the tools you need. We’ll map them onto the right tier and the right region, with the controls written down.