Architecture & security

Who uses it, what it connects to, what it produces, where every part of it runs — and the controls guarding each layer.

Solution architecture

How PrivacyOne fits into your organisation

Who uses it, what it connects to, what it produces — and where every part of it runs.

People

DPO officeOwns the privacy programme
Privacy analystHandles rights & records
AuditorRead-only assurance
AdministratorAccess & configuration

PrivacyOne platform

PrivacyOne Single system of record for personal-data protection & PDPL compliance
Discover & classify Govern & assess Serve rights Risk & breach Retain & dispose Report & prove

External

Data sourcesCRM · HR · network · cloud
SDAIARegulator & inspections
Data subjectsCustomers & employees
Email / SMTPAcknowledgements & alerts

Security by design

Defense in depth, layer by layer

Personal data sits at the centre. Every ring is an independent control that has to be passed.

  • NetworkHTTPS/TLS only · firewall, 443 exposed · reverse proxy · security headers
  • Platformsystemd isolation · managed secrets (0600) · patched OS · hosting inside the Kingdom
  • ApplicationTOTP MFA · JWT sessions · RBAC least-privilege · signed challenges
  • DataFernet field encryption · hashed passwords & backup codes · immutable audit log

The password step never issues a session

01Signed challenge, not a token

Email and password return a short-lived signed challenge that expires in five minutes and cannot call any API.

02Clock-correct TOTP

Six-digit codes are verified in UTC, so they match the authenticator app on any server timezone.

03Backup codes

Eight single-use recovery codes, stored hashed. Every verification is written to the audit log before the session is issued.

See your PDPL posture in a working system

Forty-five minutes, your own sample source, and a bilingual evidence pack you keep at the end of it.