Start Free
Property ManagementChannel ManagerBooking EngineRevenue ManagementZATCA InvoicingHousekeepingGuest ManagementAllotment Management
Pricing
Join Waitlist
Start FreeBook a Demo
NEW — PDPL effective September 2024 Encryption built-in automatically

PDPL Compliance —
Saudi Guest Data Privacy Built Into Every Profile

Saudi PDPL requires encrypted identity data storage, consent management, guest access rights, and data deletion. Sutahi implements all technical requirements automatically — no technical setup required from you.

id_number_encryptedAES — no plaintext in database
id_number_hashSHA-256 — secure indexed search
access_logsAuditable access logs
Start PDPL Compliant Consult Compliance Expert
AES encryption for all ID numbers
Access logs auditable
Data export & deletion on-demand
Guest Data Protected
AES Encryption — id_number_encrypted
SHA-256 Hash — id_number_hash
RBAC — role-based access control
Audit Logs — every access recorded
PDPL 2024
What PDPL Requires

Six Core Requirements — All Implemented in Sutahi

PDPL sets six requirements on establishments processing personal data. Sutahi implements the technical side of every requirement.

Personal Data Encryption
ID numbers and passport data must be stored encrypted. No plaintext in the database.
Sutahi: AES encryption via Crypt::encrypt() + SHA-256 hash for indexed lookup
Consent Management
Explicit consent required before collecting and processing personal data.
Sutahi: Consent form integrated into check-in flow — timestamped and stored
Right to Access Data
The data subject (guest) has the right to view all their stored personal data.
Sutahi: Guest data export available on-demand — includes all profile data
Right to Erasure
The guest has the right to request deletion of their personal data when legally applicable.
Sutahi: Personal data deletion while retaining required compliance records — admin executes the request
72-Hour Data Breach Notification
Any security breach threatening personal data must be reported within 72 hours.
Sutahi: Auditable access logs accelerate detection and reporting
Data Minimization
Collect only the personal data that is necessary — no excessive collection.
Sutahi: Guest fields scoped to what Shomoos and ZATCA require only
Technical Implementation

How Sutahi Stores Identity Data Securely

The ID number undergoes dual processing: encryption for secure storage, and hashing for fast lookup. Plaintext is never stored.

ID Number Encryption
id_number_encrypted — AES encryption via Laravel Crypt
Crypt::encrypt($idNumber)
SHA-256 Hash for Lookup
id_number_hash — indexed for fast lookup without exposing original
hash("sha256", $idNumber)
Secure Guest Lookup
Search via hash — original number never used in query
Guest::findByIdNumber($id)
Decryption Accessor
Decryption on-demand only — via protected accessor
$guest->id_number_decrypted
1
Staff enters ID number
2
Sutahi encrypts & hashes
3
Database: encrypted + hash only
4
Search via hash — secure
Three Regulations — One Solution

PDPL + ZATCA + Shomoos — Sutahi Balances All Three

PDPL requires data protection. ZATCA requires data retention for accounting. Shomoos requires sharing with government. Sutahi achieves the triple balance: encrypts what must be encrypted, shares what is legally required, retains what must be kept.

🔒
PDPL
Encrypt + Consent + Right to delete
📋
ZATCA
Retain records 6+ years
🏛
Shomoos
Share every guest ID with MOI
Sutahi achieves the balance automatically — no conflict, no compromise on security
Hotel Management's Role

What You Need to Do — and What Sutahi Does For You

Sutahi handles it
Require consent at check-in
Sutahi displays the consent form automatically — have the guest sign and it's archived.
Sutahi handles it
Define data retention period
In Sutahi privacy settings, specify how many years you retain guest data (6 years minimum for ZATCA).
Manual action required
Appoint a Data Protection Officer
If processing is large-scale, PDPL may require a DPO — a legal appointment, not technical.
Sutahi handles it
Document access and deletion requests
When a guest requests their data or deletion, use Sutahi's admin panel to execute and document the request.
Frequently Asked Questions

PDPL Compliance Questions

PDPL 2024 Compliant

Guest Data Protected. Compliance Guaranteed. Every Booking.

Sutahi implements all PDPL technical requirements automatically — encryption, access logs, data export, and deletion. Your hotel is compliant from day one.

Start Free Trial View Pricing