PDPL Compliance for SaaS in Egypt

PDPL guide for SaaS and micro-SaaS founders with Egyptian customers. Controller vs processor, sub-processor lists, DPAs, residency questions, security baseline.

Frequently asked questions

Does PDPL apply if my company is in the US?

If you process the personal data of people in Egypt, yes. Headquarters location doesn't get you out of it.

We're 2 founders. Do we really need a DPA?

If you take Egyptian customer data, yes. Your customers will ask, especially when they're trying to comply themselves. A short, clean DPA is competitive — not optional.

Can we use OpenAI / Anthropic for customer features?

Yes, as a named sub-processor with appropriate contractual safeguards (DPA, no training on customer data, retention limits). Disclose the use in your privacy notice and sub-processor list.

Do we have to host in Egypt?

No, not by default. PDPL allows transfers with appropriate safeguards under Article 14. Some regulated sectors push for residency in tenders, which is a commercial — not legal — decision.

How does this affect funding / due diligence?

Investors increasingly run privacy diligence. Having a DPA, sub-processor list, and a basic ROPA in place removes a category of red flags before they show up in a data room.

Explore Polily

  • Polily home — PDPL compliance for Egypt
  • Egypt PDPL compliance hub
  • Free PDPL privacy policy generator
  • PDPL readiness quiz
  • Find a verified PDPL lawyer in Egypt
  • PDPL founders' checklist
  • Polily blog — PDPL guidance
  • Pricing