Built sovereign.
Trusted by design.
Σigmix is a new, Arabic‑first platform built for the Kingdom — so trust isn’t a badge we bought, it’s how the system is put together. We earn it the honest way: with architecture you can inspect. Here is exactly how your data is hosted, isolated, encrypted and accounted for — and where we are on the compliance road.
Trust you can read in the architecture.
No marketing seals here — just the controls that hold the platform together, enforced on every request and every surface.
Data residency
Sovereign workloads are hosted entirely inside the Kingdom — on Saudi cloud regions from Oracle, Google, Huawei and Alibaba. Customer data never leaves Saudi Arabia.
- Compute, Postgres and object storage all in‑region
- Inference on in‑Kingdom endpoints for sovereign tiers
- No silent fall‑through to a non‑resident provider
Tenant isolation
Every company is fenced at two layers at once. There is no code path that bypasses both — a request that escapes one is still stopped by the other.
- PostgreSQL Row‑Level Security on every table
- Application‑level company filtering on every request
- Non‑superuser DB roles, tenant context set per transaction
Encryption
Strong encryption is the default in both directions, and secrets never sit in plaintext anywhere in the platform.
- TLS in transit on every connection
- Encryption at rest across data and backups
- Provider keys encrypted & admin‑rotatable — never in code
Identity & accounts
Sign‑in is hardened from the password up. One email is one identity that can belong to many companies, without ever crossing tenant lines.
- Argon2id password hashing
- Secure, server‑side sessions with sign‑in throttling
- Optional two‑factor authentication
Billing integrity
The money core can’t be talked into an overdraft. You buy prepaid credits, and every metered action reserves before it runs and settles to the real cost afterwards.
- Prepaid, non‑cash credits — no surprise bills
- Reserve‑then‑settle: hold the max, charge the actual
- No reservation, no work — and no overdraft, ever
Compliance posture
We build to meet Saudi regulation directly. We’re a new platform and we say so plainly: formal certifications are in progress — we do not claim ones we don’t yet hold.
- ZATCA‑aware bilingual e‑invoicing
- Aligning data handling with the Saudi PDPL
- Independent certifications: in progress, not yet held
In‑Kingdom, on sovereign cloud.
Sovereign workloads run on Saudi regions of four world‑class clouds — each picked for a strength, all with infrastructure inside the Kingdom. Your data has somewhere strong to stay, and it stays there.
Oracle Cloud
Riyadh · in‑Kingdom inferenceOur sovereign anchor — KSA‑resident inference, so sovereign prompts and outputs never leave the country.
Google Cloud
Dammam · platform‑core homeManaged Postgres and core services in the Dammam region, in‑Kingdom by default with strong data‑residency controls.
Huawei Cloud
Saudi regionA second in‑Kingdom landing zone — diversified, locally‑operated compute and storage for resilience.
Alibaba Cloud
Saudi regionAdded in‑Kingdom reach and capacity, so we can place a sovereign workload on the provider that fits it best.
Responsible disclosure.
Security is a partnership. If you believe you’ve found a vulnerability, we want to hear from you — and we’ll work with you to fix it.
Report a security issue
Email us with the details and steps to reproduce. Please give us reasonable time to investigate and remediate before any public disclosure — and please don’t access, modify or exfiltrate data that isn’t yours.
contact@sigmix.aiReady to build on a platform you can trust?
Pick the tools you need and run them on sovereign, in‑Kingdom infrastructure — with the controls written down, not promised.