Privacy Policy

  1. Introduction 

Levers relies on digital technology and digitized information to support the business. Hence, the need to protect the associated Information Assets and IT systems from cyber threats critically.

Cyber Security is the application of technologies, processes, and controls to protect systems, networks, programs, devices, and data from Cyber Attacks. It aims to reduce the risk of Cyber Attacks and protect against the unauthorized exploitation of systems, networks, and technologies.

Cyber Security regulations have come into focus in the Kingdom of Saudi Arabia to address the Cyber Risks that companies face and the practices they can deploy to protect against and prevent them. LEVERS board and senior management recognize these risks as critical business risks that need urgently addressed given the material impact.

At Levers, we understand the importance of your privacy and are committed to protecting your personal information. This Data Privacy and Protection Policy ("Policy") outlines how we collect, use, and safeguard your data when you use our services. We adhere to the highest security standards and strive for complete transparency regarding how we handle your information.

This Policy is designed to inform you of:

  • The types of personal data we collect
  • How we use your information
  • Your rights and choices regarding your data
  • Our commitment to data security

By using Levers services, you acknowledge and agree to the practices described in this Policy.

  1. Purpose 

At Levers, we are committed to protecting your privacy and ensuring the security of your personal data. This Policy outlines how we collect, use, disclose, and safeguard your information when you use our services and platform. We believe transparency is key to building trust, and we strive to provide you with clear and concise information about our data practices. This Policy aligns with the Saudi Arabian Monetary Authority Cybersecurity Framework (SAMA CSF) to ensure your data is handled responsibly and in accordance with the highest security standards.

  1. Scope

This Data Privacy and Protection Policy ("Policy") applies to the collection, use, disclosure, and protection of personal data by Levers ("we," "us," or "our"). This Policy covers the personal data of all individuals who interact with Levers's services, products, website, applications, and mobile apps (collectively, the "Services").

This Policy is established in accordance with the Saudi Arabian Monetary Authority Cybersecurity Framework (SAMA CSF) and other applicable laws and regulations in the Kingdom of Saudi Arabia. It outlines our commitment to protecting your privacy and ensuring the security of your personal data.

  1. Enforcement and Compliance

Compliance with this Policy is mandatory, and all managers shall ensure continuous compliance monitoring within their departments. Compliance with the statements of this Policy is a matter of periodic review by the Cyber Security Department. Any violation will result in disciplinary Action by the Cyber Security Committee.

  1. Disciplinary Action on non-compliance

Disciplinary Action will depend on the severity of the violation, which the investigations will determine. However, the Human Resources Department shall take measures as deemed appropriate.

  1. Policy Management

Technological advances and changes in business requirements will necessitate periodic revisions to policies. Therefore, this policy/Procedure may be updated to reflect changes or define new or improved requirements. 

Deficiencies within this Policy shall be immediately communicated to the Cyber Security Department. Policy changes will require the approval of the CS Committee after evaluation from the Cybersecurity Department.

The changelog shall be kept current and updated as soon as any change has been made.

Why this policy exists.

This data protection policy ensures Levers:

  • Complies with data protection law and follows good practice. 
  • Protects the rights of staff, customers, and partners.
  • Is open about how it stores and processes individuals’ data.
  • Protects itself from the risks of a data breach.

  1. The Data protection law

The Personal Data Protection Law (PDPL) describes how organization must collect, handle and store personal information. 

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Personal Data Protection Law (PDPL) is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully.
  2. Be obtained only for specific, lawful purposes.
  3. Be adequate, relevant and not excessive.
  4. Be accurate and kept up to date.
  5. Not be held for any longer than necessary.
  6. Processed in accordance with the rights of data subjects.
  7. Be protected in appropriate ways.
  8. Not be transferred outside The Kingdom of Saudi Arabia (KSA), unless that country or territory also ensures an adequate level of protection.

8. The broad categories to Audit the crucial cybersecurity threats 


  1. Management
  • Company security policies in place
  • Security policies written and enforced through training.
  • Computer software and hardware asset list
  • Data classified by usage and sensitivity.
  • Established chain of data ownership
  1. Employees
  • Training on phishing, handling suspicious emails, social engineering hackers.
  • Password training and enforcement
  • Training on dealing with strangers in the workplace.
  • Training on carrying data on laptops and other devices and ensuring the security of this data
  • All security awareness training passed and signed off, ensuring that all employees not only understand the importance of security but are active guardians of security.
  • Ensure that Secure Bring Your Device (BYOD) plans are in place.
  1. Business practices
  • Emergency and cybersecurity response plans
  • Determine all possible sources of business disruption cybersecurity risk.
  • Plans in place to lessen business disruptions and security breaches.
  • Emergency disaster recovery plans in place
  • Alternative locations for running a business in case of emergencies or disruptions.
  • Redundancy and restoration paths for all critical business operations
  • To test the restoration and redundancy plans
  1. IT Department
  • System hardening plans.
  • Automated system hardening on all operating systems on servers, routers, workstations, and gateways.
  • Software patch management automated
  • Security mailing lists
  • Regular security audits and penetration testing
  • Anti-virus software installed on all devices with auto-updates.
  • A systematic review of log files and backup logs to make sure there are no errors.
  • Remote plans in place, as well as policies regarding remote access
  1. Physical security
  • Lock servers and network equipment.
  • Have a secure and remote backup solution.
  • Make sure keys for the network are in a secure location.
  • Keep computers visible.
  • Use locks on computer cases.
  • Perform regular inspections.
  • Prevent unauthorized users from entering the server room or even the workstation areas.
  • Security camera monitoring system
  • Keycard system required for secure areas.
  • Secure Data Policy in place and ensure users understand the Policy through training.
  • Secure trash dumpsters and paper shredders to prevent dumpster diving.
  1. Secure data
  • Encryption enabled wherever required.
  • Secure laptops, mobile devices, and storage devices
  • Enable automatic wiping of lost or stolen devices.
  • Secure Sockets Layer (SSL) in place when using the Internet to ensure secure data transfers.
  • Secure email gateways ensuring data is emailed securely.
  1. Active monitoring and testing
  • Regular monitoring of all aspects of security
  • Regularly scheduled security testing
  • External penetration testing to ensure your staff hasn't missed something.
  • Scanning for data types to make sure they are secure and properly stored.