The Ministry of Digital Economy and Entrepreneurship (MoDEE)  modernized its Sanad Application while ensuring compliance with national data protection and cybersecurity regulations. The solution adopted a modernized architecture with AWS managed services to meet strict data residency, security, and operational resilience requirements.

The Ministry of Digital Economy and Entrepreneurship (MoDEE) needed to modernize its Sanad App while ensuring strict compliance with national regulatory and cybersecurity requirements governing citizen data.

The modernization initiative was driven by several key regulatory frameworks that define how personal data must be collected, processed, protected, and stored. As a result, the primary challenge was to modernize the application architecture in a way that satisfies data residency, security, and regulatory compliance requirements, while maintaining high system availability, strong operational performance, and robust protection of sensitive citizen information.

Our solution involved delivering a new cloud deployment for the ministry’s application, modernizing the architecture to adopt a microservices-based approach utilizing services like Amazon Elastic Container Service and AWS Fargate. This architecture enabled improved scalability, operational efficiency, and easier lifecycle management of application components.

Following the design principle “Establish adequate security posture in line with data sensitivity levels” and the best practice “Make privacy the default setting,” the solution embedded privacy and data protection directly into the system architecture. All transacted data was classified according to sensitivity levels, and the corresponding security controls were automatically enforced.

This included implementing role-based access control through AWS Identity and Access Management, encryption in transit and at rest using AWS Key Management Service, and network isolation through Amazon Virtual Private Cloud with security groups. These controls ensured that sensitive citizen records were protected by default without requiring manual intervention.

Additionally, logging, monitoring, and data management workflows were implemented to allow the ministry to demonstrate compliance with the Personal Data Protection Law No. 24 of 2023 and the Cyber Security Law. This enabled proper governance of data-subject rights requests, access events, and incident response actions, ensuring alignment with the requirements of the National Cyber Security Center and the Personal Data Protection Unit.