PureBrain / Pure Technology · Prepared by Prodigy · April 9, 2026
PureBrain currently has significant compliance gaps across all three GCC jurisdictions (Qatar, KSA, UAE). The platform runs on Cloudflare Pages (US infrastructure) with Anthropic Claude API — neither configured for GCC data residency. There is no consent management system, no AI register, no audit trail infrastructure, and no human-override mechanism. Operating in the GCC without addressing these gaps exposes PureBrain to fines of $275K–$1.37M+ per violation (Qatar), SAR 20M+ (KSA), and direct civil litigation (UAE DIFC). The single highest-leverage first step is engaging GCC legal counsel immediately.
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Data localization: sensitive data on servers in Qatar | Cloudflare Pages (US CDN). Anthropic Claude API (US). | No Qatar data residency. All data processed in US. | Critical |
| Cloud provider must guarantee Qatari data residency | No contractual data residency guarantee in place. | Cloudflare and Anthropic have no GCC-specific residency SLA for PureBrain. | Critical |
| Explicit, purpose-bound consent mechanisms | No consent management system. Basic contact forms only. | No CMP (Consent Management Platform) deployed. | Critical |
| Consent must be revocable by end user | No revocation mechanism exists. | No consent withdrawal flow or preference center. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Mandatory AI register — ALL deployed AI systems documented | No AI register exists. | No inventory of AI systems, models, or use cases. | Critical |
| QCB pre-approval BEFORE any new AI deployment | No QCB engagement initiated. | Cannot deploy financial AI in Qatar without this. | Critical |
| High-risk AI: separate QCB authorization | No risk classification framework. | No classification methodology for AI risk levels. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| NCSA cybersecurity framework compliance | No NCSA audit or assessment completed. | No gap assessment against NCSA framework. | High |
| Expect audits — 100+ entities, 54K participants | No audit readiness posture. | No audit documentation, no designated security contact. | High |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| AI ethics guidelines (aligned with Islamic ethical principles) | No ethics documentation exists. | No ethics framework aligned with MCIT/Islamic principles. | Medium |
| Documentation of ethical compliance posture | None. | No ethics statement, policy, or audit trail. | Medium |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Full PDPL compliance (48 enforcement decisions in year one) | No PDPL compliance assessment done. | No data mapping, no processing records, no DPA. | Critical |
| Explicit, purpose-bound, revocable consent | No CMP deployed. | Same as Qatar — no consent system exists. | Critical |
| Data processing documentation and records (ROPA) | No records of processing activities. | ROPA does not exist. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| 108 mandatory cybersecurity controls | No ECC-2 assessment done. | Unknown how many of 108 controls are currently met. | High |
| All cybersecurity roles staffed by Saudi nationals (Saudization) | No KSA office or local staff. | Cannot fulfill Saudization requirement without local hire or partner. | High |
| Audit readiness for ECC-2 compliance | None. | No compliance documentation or evidence package. | High |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| AI explainability for credit/automated decision models — plain language | Claude API is a black-box LLM. No explainability layer. | Cannot explain AI decisions in plain language as required. | Critical |
| Human-in-the-loop: humans must be able to override any high-impact decision | No override mechanism in any PureBrain portal. | No human review queue or override button exists. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Fairness, accountability, transparency documented and demonstrable | No documentation exists. | No AI fairness assessment or accountability framework. | Medium |
| Determine which Data Embassy configuration applies (Private/Extended/Virtual) | Not assessed. | No determination of which configuration applies to PureBrain. | Medium |
| Sovereign data processing enclave (cross-border operations) | No sovereign enclave. | Cross-border data processing has no compliant enclave. | Medium |
| Monitor KSA Dedicated AI Law (in development) | Not tracked. | No monitoring assigned for SDAIA publications. | Low |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Compliance roadmap in place for Jan 2027 | No roadmap exists. | No plan, no timeline, no owner assigned. | High |
| Consent mechanisms aligned with federal requirements | No CMP. | Shared gap with Qatar/KSA — no consent system. | High |
| Data processing documentation | None. | No ROPA for UAE operations. | High |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Private right of action — data subjects can sue directly for damages incl. emotional distress | No litigation-ready data handling procedures. | Exposure to civil claims including emotional distress damages. | Critical |
| Extraterritorial jurisdiction — applies even if not physically in DIFC | No legal assessment of DIFC applicability. | Any UAE customer in DIFC zone = full DIFC rules apply. | Critical |
| Litigation-ready data handling and breach response procedures | No incident response plan. | No breach notification process, no legal counsel on retainer. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| 24-hour mandatory incident reporting capability | No incident detection or escalation pipeline. | Cannot meet 24-hour window without monitoring infrastructure. | Critical |
| Cyber risk framework compliance | No ADGM-specific assessment. | No compliance posture for ADGM. | High |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Age verification system for users under 18 | No age verification on any PureBrain product. | Cannot onboard UAE users without age verification gate. | Critical |
| Guardian/parental consent mechanism for users under 13 | None. | No parental consent flow exists. | Critical |
| Data handling differentiation for minors | Single data handling policy — no minor-specific controls. | No differentiation in data handling for users under 18. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Alignment with 12 guiding principles of UAE AI Charter (June 2024) | Not assessed. | No self-assessment against UAE AI Charter. | Medium |
| If operating across UAE free zones: comply with Federal PDPL + DIFC + ADGM simultaneously | Not assessed — no legal counsel mapping per jurisdiction. | Each has own definitions, enforcement body, and penalties. No mapped counsel. | Critical |
| Requirement | Current State | Gap | Severity |
|---|---|---|---|
| Complete audit trail — always on, not generated on demand | No persistent audit logging across any PureBrain system. | No audit trail infrastructure of any kind. | Critical |
| Human override capability — actual button, not theoretical | No human override in any portal or AI workflow. | No override UI, no review queue, no escalation path. | Critical |
| Data residency proof — demonstrate which country holds which client's data RIGHT NOW | No data residency visibility. Cloudflare/Anthropic process globally. | Cannot demonstrate per-country data location. | Critical |
| Three separate consent frameworks operating simultaneously | Zero consent frameworks in place. | Need Qatar + KSA + UAE consent frameworks — none exist. | Critical |
| Risk classification for each AI system (high-risk vs. standard) | No risk classification system. | No AI risk register or classification methodology. | High |
| Pre-approval documentation ready for Qatar and KSA regulators | Not started. | No regulatory filings or pre-approval packages prepared. | Critical |
| No unified GCC playbook — each country tracked independently | No country-specific compliance tracking. | Single undifferentiated approach. Must split into 3. | High |
| Legal representation or registered agent in each jurisdiction | None confirmed in Qatar, KSA, or UAE. | No GCC legal representation in any jurisdiction. | Critical |
Cannot operate or file pre-approvals without legal presence. Find firms with GCC AI regulatory expertise. Budget for 3 separate retainers.
All 3 countries
All 44 gaps need a single internal owner. This person coordinates legal counsel, tech teams, and tracks progress per country.
All 3 countries
Document every AI system deployed across PureBrain products: model used, purpose, data inputs/outputs, risk level, jurisdiction. Required for QCB pre-approval in Qatar.
All 3 countries
Build or integrate a CMP with purpose-bound, revocable consent for Qatar (PDPPL), KSA (PDPL), and UAE (Federal PDPL + DIFC + ADGM) simultaneously. Each requires separate consent language and withdrawal flows.
All 3 countries
Deploy tamper-proof logging for all AI decisions, data access events, and user actions. Must be always-on — not generated on demand. Store per-jurisdiction. Required across all 3 GCC countries.
All 3 countries
Any AI-generated high-impact decision must have a human review step with an actual override capability. Deploy in all PureBrain portals. Required by Qatar QCB, KSA SAMA, and UAE ADGM.
All 3 countries
Evaluate Cloudflare for Business/Enterprise (UAE/KSA edge nodes), Azure UAE North, or AWS Bahrain. Get contractual data residency guarantees. Critical for Qatar (no exceptions allowed) and KSA.
Qatar, KSA
No deployment of financial AI in Qatar without QCB pre-approval. Prepare submission package: AI register, risk assessment, data residency proof, ethics documentation. Engage legal counsel before filing.
Qatar only
Data mapping, ROPA creation, gap analysis against all 48+ KSA enforcement precedents. Engage KSA-qualified legal firm. Output: full compliance gap report and remediation plan.
KSA only
Wrap Claude API responses with plain-language decision summaries. Log explanation per transaction. Required by KSA SAMA for credit-scoring and automated decisions. Consider structured output formats.
KSA (SAMA)
Determine if any current/future UAE customers fall under DIFC jurisdiction (extraterritorial — doesn't require physical presence). Prepare breach response procedures and litigation-ready data handling policies.
UAE only
Deploy monitoring, alerting, escalation, and regulatory notification capability capable of meeting ADGM's 24-hour mandatory reporting window. Requires SecOps tooling and designated incident owner.
UAE (ADGM)
Gate for users under 18 with age verification. Parental consent flow for users under 13. Separate data handling policy for minors. Required by UAE Child Digital Safety Law (effective Jan 1, 2026 — already in force).
UAE only
Document all data processing operations: purpose, legal basis, data categories, recipients, retention periods, cross-border transfers. Separate ROPA for each jurisdiction.
KSA, UAE
Assess current state against all 108 mandatory KSA cybersecurity controls. Output: compliance percentage, prioritized remediation list, estimated effort.
KSA only
Either hire KSA-national cybersecurity staff locally or partner with a KSA-registered cybersecurity firm that fulfills the Saudization requirement on PureBrain's behalf.
KSA only
Assign owner, define milestones, allocate budget. Jan 2027 is achievable but requires starting now. Map all required changes: consent, ROPA, DPO assessment, data flows.
UAE only
No unified GCC playbook — each country has its own definitions, enforcement body, and penalties. Three independent trackers with their own milestones, owners, and status dashboards.
All 3 countries
Document alignment and gaps against each of the 12 UAE AI Charter guiding principles. Produces the ethics compliance posture required for UAE market entry.
UAE only
Document alignment with MCIT ethics framework. Produces ethics compliance documentation required for Qatar market entry and QCB pre-approval submission.
Qatar only
Determine which of the three configurations (Private, Extended, Virtual) applies to PureBrain's cross-border operations. Engage legal counsel with SDAIA expertise.
KSA only
Document AI fairness methodology, accountability chain, and transparency mechanisms for KSA SDAIA requirements. Must be demonstrable — not just written policy.
KSA only
Assign tracking owner. Subscribe to SDAIA publications and regulatory announcements. When published, this law will create additional obligations beyond current requirements.
KSA only
Track potential future harmonization between Council of Europe AI Treaty and GCC country frameworks. Could simplify multi-jurisdiction compliance if GCC countries ratify.
All 3 countries