Security & data protection

Your data stays in Oman.

Tayf is built and hosted in Oman, around the Personal Data Protection Law (Royal Decree 6/2022). Data residency, a signed data-processing agreement, and privacy-by-design are part of every engagement — not an upgrade.

Where your data lives
Inside Oman
Your PMS exports, reports, evidence files
Databases & storage — hosted in-country
Encryption in transit · per-tenant separation
AI summarisation — aggregated & anonymised first
No names, no identifiers leave the country. Roadmap: inference moves in-country too.
PDPL — ROYAL DECREE 6/2022·SIGNED DPA, EVERY CLIENT·DATA RESIDENCY BY DEFAULT·CR 1657315 · MUSCAT
How we protect institutional data

Six commitments, in writing.

Hosted in Oman

Client data is stored in-country, supporting data-residency requirements for institutions and government-adjacent buyers.

Data-processing agreement

We sign a DPA with every client and act as a processor — handling data only for the agreed purpose.

Access & encryption

Encryption in transit, per-tenant separation and role-based access so people see only what they should.

Privacy-aware AI

Where AI summarises reports, data is aggregated and anonymised before any external processing.

PDPL-aligned

Built around Royal Decree 6/2022 — privacy notices, data-subject rights and breach response.

Sovereign roadmap

Our direction moves AI inference onto in-country infrastructure for fully local, sovereign processing.

Straight answers

What runs where — said plainly.

Procurement teams read every page. So here is the precise version, the one we'd want to read ourselves.

Client workloads — today

Your platforms, databases and files are hosted in Oman, under PDPL, with a signed DPA. Per-tenant separation, role-based access, encryption in transit. This is the default on every engagement — including Tayf Daily.

This website — for clarity

tayf.dev itself is a marketing site served from a global edge network for speed. It holds no client data. Contact-form submissions are delivered to us and covered by our privacy notice.

AI processing — today

Where AI writes summaries, figures are aggregated and anonymised before any external call — totals and variances, never names or identifiers. What the model sees could be printed in a newspaper without identifying anyone.

The roadmap — said honestly

Our direction is in-country inference on NVIDIA-powered servers — AI that never leaves Oman at all. We haven't deployed it in a project yet, and we won't claim it until we have.

Questions compliance teams ask.

Is Tayf compliant with the Omani PDPL?+

Tayf is built around the Omani Personal Data Protection Law (Royal Decree 6/2022). We sign a data-processing agreement with every client, provide privacy notices, and keep client data hosted in Oman. We act as a processor on your behalf and handle data only for the agreed purpose.

Where is my data stored?+

Client data is hosted in Oman. Data residency is a default, not an add-on — important for institutions and government-adjacent buyers who require their data to stay in-country.

How does Tayf use AI without exposing my data?+

Where AI models summarise reports, data is aggregated and anonymised before any external processing, and our roadmap moves inference onto in-country infrastructure for fully local AI.

Can we get this in writing for procurement?+

Yes — request the data note below: a one-page summary of hosting, the DPA, and how AI processing is handled, ready to attach to a procurement file.

Buying for an institution? Ask for the data note.

One page: hosting, the DPA, AI processing. Written for your compliance file, not for marketing.