Regulatory Sandbox Program

Regulatory Sandbox Program

Regulatory Sandbox Program

It is a regulatory support program launched by the Saudi Data & AI Authority (SDAIA). It aims to empower startups in the personal data protection field by allowing them to test and develop their technological solutions in a controlled environment. The program adheres to the highest local and global standards and best practices in privacy. It provides companies with the flexibility to develop their innovative technologies and solutions within a flexible regulatory framework for a specified period. This program promotes responsible innovation in personal data protection while ensuring that the rights and interests of individuals in the Kingdom are safeguarded in accordance with the Personal Data Protection Law.

 
We are pleased to announce that applications for the program will be received from 21 May 2025 until 30 June 2025.

  • The authorized person should log in to the Saudi Business Center Platform Click here.
  • Create a new Delegation and complete the necessary steps.
  • Select the Commercial Register for the entity.
  • Select (Saudi Data and Artificial Intelligence Authority “SDAIA”) as a service provider.
  • Select the name of service (representing and registering on National Data Governance Platform and completing procedures).

 

To complete the registration process for the SDAIA Sandbox, please follow the steps bellow:

  • Log in to the National Data Governance Platform
  • Click on the "Electronic Services" 
  • Select the SDAIA Sandbox Program
  • Click on "Start Service"
  • Sign in using the National Single Sign-On (Nafath).
  • choose one of the following options (Import delegations) or (Import Sole Proprietorships)
  • Select the private entity participating in the program.
  • Fill in the required information and submit the application

SDAIA Sandbox Guidelines

Download File

A regulatory sandbox is a program that allows businesses to test and develop innovative products, services, or applications under the oversight of a regulatory authority, within a defined timeframe and controlled environment.

The SDAIA Sandbox aims to foster innovation in Data Privacy, Privacy by Design, and Privacy Engineering using Privacy Enhancing Technologies (PETs), while ensuring compliance with KSA's Personal Data Protection Law.

Participants will benefit from having direct access to regulatory guidance, the ability to test compliance of their PETs solutions against privacy regulatory instruments, reduced cost of innovation, and potential reduction of time-to-market for their products/services.

Privacy by Design is a principle that integrates Data Privacy Principles into the core of a product/service to ensure proactive protection of user data. Privacy by Design is enabled by Privacy Engineering, which applies technical methods to implement Data Privacy and Privacy Enhancing Technologies (PETs), which are tools and techniques, like anonymization and Zero-Knowledge Proof, that safeguard data confidentiality and privacy.

Privacy by Design consists of seven key principles, which include proactive and preventative measures, privacy as the default setting, embedding privacy into system design, achieving full functionality without compromising privacy, enabling end-to-end security, transparency, and respect for user privacy. These principles ensure data privacy throughout the lifecycle of systems and processes.

The Sandbox welcomes applicants who fit the following eligibility criteria: 

  • The applicant is a KSA-based MSME/Startup/Entrepreneur.
  • The applicant has a working prototype of Privacy by Design, Privacy Engineering, or Privacy Enhancing Technologies (PETs) product/service. 
  • The use case should be ready to test. It should be in the Minimum Viable Product (MVP) stage with basic functionality.
  • The solution must be tested against the KSA’s PDPL and any supporting regulations.
     

Yes.  As the Sandbox is dedicated to Data Privacy and Privacy by Design, it is expected that use cases may have implications on personal data in line with the scope of the PDPL and its associated implementing regulations.
 

Once submitted, applications will be reviewed against the eligibility criteria. Successful applicants will proceed to the detailed assessment stage, where they will need to submit a comprehensive use case and test plans. Those who pass the assessment will be invited to join the Sandbox.
 

The process of evaluating and assessing the applications can take up to 45-60 days. Applicants will be able to track progress on the application portal.

Yes, potential applicants may apply to the SDAIA Sandbox even if they have previously participated in other sandboxes.

No, all intellectual property rights will remain with the participants.

No, the Sandbox will not be responsible for providing or assisting in procuring the data needed for testing at this time.

The Sandbox will not offer financial support, but participation is free of charge.

The Sandbox will not offer financial support, but participation is free of charge.

If a participant fails to comply with the terms and conditions outlined in their Letter of Acceptance (LoA), SDAIA reserves the right to terminate any testing plan and participation in the Sandbox.

Successful testing means the successful execution of the testing phase within the Sandbox, in full compliance with the terms and conditions stated in the Letter of Acceptance.

Upon the successful exit, participants will receive a certificate stating that they have successfully completed the testing of their product/solution or service against in-scope approved PDPL-related test cases.

Back Start Service