Sub-Processors List | Al-Haddaj National

Last updated: 12 May 2026

Active Sub-Processors

Service: Email hosting, cloud storage, spreadsheets, Apps Script web app hosting
Data categories: Customer contact information, service records, booking data, service photographs, invoices
Location of processing: United States, European Union (Google multi-region)
Adequacy safeguards:
Google Cloud Data Processing Agreement executed
ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II certified
Saudi Arabia data-residency region available (multi-region configuration)
PDPL lawful basis: Article 29, contractual necessity for service delivery
Sub-processor page: https://cloud.google.com/terms/subprocessors

Service: Payment processing (card, mada, Apple Pay, STC Pay)
Data categories: Cardholder authentication tokens, transaction amounts, customer name, email, phone
Location of processing: Kingdom of Saudi Arabia (primary), with fallback infrastructure per SAMA requirements
Adequacy safeguards:
Saudi Central Bank (SAMA) licensed payment processor
PCI DSS Level 1 certified
Data Processing Agreement executed
PDPL lawful basis: Contractual necessity; SAMA regulatory obligation
Commitment: Moyasar's published policy states data is stored and processed locally within KSA
Privacy policy: https://moyasar.com/en/resources/privacy-policy/

Service: WordPress hosting for alhaddaj.com.sa
Data categories: Booking form submissions (transient), server access logs, website analytics
Location of processing: United States (Michigan)
Adequacy safeguards:
Data Processing Agreement executed
SOC 2 Type II, SSAE 18 compliant
PDPL lawful basis: Article 29, contractual necessity

الخدمات التالية ليست معالجين فرعيين لأنها لا تتلقّى بيانات شخصية من خوادم شركة الهدّاج الوطنية:

WhatsApp (Meta Platforms Inc.) — تستخدم شركة الهدّاج الوطنية روابط wa.me المباشرة التي تفتح تطبيق واتساب لدى العميل مباشرةً من جهازه. لا تُنقَل أي بيانات من خوادم شركة الهدّاج الوطنية إلى واتساب.

Anthropic (Claude API) — Claude API is used only for internal operational tools (inventory forecasting) with equipment/part numbers and no customer Personal Data. This flow is currently set to MANUAL mode and no customer data is processed by Claude.

Plausible Analytics B.V. — كان مُدرَجاً كمعالج فرعي في مسوّدات المستوى صفر المبكرة (١٢ أبريل ٢٠٢٦) للتحليلات المجمّعة دون ملفات تعريف الارتباط. غير مُثبَّت حالياً على الموقع. لا يُحمَّل أي سكربت لـ Plausible بواسطة alhaddaj.com.sa. إذا/عندما يتم تفعيل Plausible (أو أي منتج تحليلات)، سيعود هذا الإدخال إلى قائمة المعالجين الفرعيين النشطة أعلاه، وسيتم تحديث إشعار الخصوصية (القسم ١١) ليطابقه قبل نشر السكربت مباشرةً.

Date	Change	Reason
12 April 2026	Initial publication	Tier 0 PDPL compliance rollout
12 May 2026	Removed Plausible Analytics from active sub-processor list — not currently installed. Moved to "Notes on Transparency" pending future enablement.	Align public compliance docs with actual state during v1a attribution-capture deploy. No Plausible script loads on the live site; the Privacy Notice (Section 11) was updated to match.

Al-Haddaj National reviews all sub-processors at least annually and before any new engagement. Each review includes:

Confirmation of a signed Data Processing Agreement
Review of the sub-processor's security certifications (ISO 27001, SOC 2, PCI DSS as applicable)
Review of the sub-processor's data location and cross-border transfer safeguards
Review of any incidents or regulatory actions
Update of the relevant Transfer Impact Assessment

يمكن توجيه الأسئلة حول هذه القائمة إلى privacy@alhadaj.com.