Sub-Processors List — Al-Haddaj National

This is the public list of third parties that process Personal Data on behalf of Al-Haddaj National. It is linked from the Privacy Notice (Section 7) and must be kept current. Any addition of a new sub-processor triggers a Transfer Impact Assessment (TIA) update and, if the change is material, notification to customers.

قائمة المعالجين الفرعيين | Sub-Processors List

Last updated / آخر تحديث: 12 May 2026

1. Google LLC (Google Workspace)

• Service / الخدمة: Email hosting, cloud storage, spreadsheets, Apps Script web app hosting
• Data categories / فئات البيانات: Customer contact information, service records, booking data, service photographs, invoices
• Location of processing / موقع المعالجة: United States, European Union (Google multi-region)
• Adequacy safeguards / ضمانات الحماية:
• Google Cloud Data Processing Agreement executed
• ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II certified
• Saudi Arabia data-residency region available (multi-region configuration)
• PDPL lawful basis / الأساس النظامي: Article 29, contractual necessity for service delivery
• Sub-processor page: https://cloud.google.com/terms/subprocessors

2. Moyasar Financial Company

• Service / الخدمة: Payment processing (card, mada, Apple Pay, STC Pay)
• Data categories / فئات البيانات: Cardholder authentication tokens, transaction amounts, customer name, email, phone
• Location of processing / موقع المعالجة: Kingdom of Saudi Arabia (primary), with fallback infrastructure per SAMA requirements
• Adequacy safeguards / ضمانات الحماية:
• Saudi Central Bank (SAMA) licensed payment processor
• PCI DSS Level 1 certified
• Data Processing Agreement executed
• PDPL lawful basis / الأساس النظامي: Contractual necessity; SAMA regulatory obligation
• Commitment: Moyasar’s published policy states data is stored and processed locally within KSA
• Privacy policy: https://moyasar.com/en/resources/privacy-policy/

3. A2 Hosting, Inc.

• Service / الخدمة: WordPress hosting for alhaddaj.com.sa
• Data categories / فئات البيانات: Booking form submissions (transient), server access logs, website analytics
• Location of processing / موقع المعالجة: United States (Michigan)
• Adequacy safeguards / ضمانات الحماية:
• Data Processing Agreement executed
• SOC 2 Type II, SSAE 18 compliant
• PDPL lawful basis / الأساس النظامي: Article 29, contractual necessity

Notes on Transparency

The following services are not sub-processors because they do not receive Personal Data from Al-Haddaj National servers:

• WhatsApp (Meta Platforms Inc.) — Al-Haddaj National uses wa.me deep links that open the customer’s WhatsApp directly from their own device. No data is transmitted from Al-Haddaj National servers to WhatsApp.

• Anthropic (Claude API) — Claude API is used only for internal operational tools (inventory forecasting) with equipment/part numbers and no customer Personal Data. This flow is currently set to MANUAL mode and no customer data is processed by Claude.

• Plausible Analytics B.V. — Was listed as a sub-processor in early Tier 0 drafts (12 April 2026) for aggregated cookieless analytics. Not currently installed on the website. No Plausible script is loaded by alhaddaj.com.sa. If / when Plausible (or any analytics product) is enabled, this entry will move back to the active sub-processor list above and the Privacy Notice (Section 11) will be updated to match before the script ships live.

Change Log

How We Review Sub-Processors

Al-Haddaj National reviews all sub-processors at least annually and before any new engagement. Each review includes:

1. Confirmation of a signed Data Processing Agreement
2. Review of the sub-processor’s security certifications (ISO 27001, SOC 2, PCI DSS as applicable)
3. Review of the sub-processor’s data location and cross-border transfer safeguards
4. Review of any incidents or regulatory actions
5. Update of the relevant Transfer Impact Assessment

Questions about this list may be directed to privacy@alhadaj.com.