The Veltrixair Privacy Unit is built deliberately small. Every engagement is led by someone who can sign their name to a regulator-facing document. There is no junior-staffed delivery model, no offshore back office, no analyst layer between the partner and the work.
Six operating principles. They are not aspirational — they are the working contract between every member of the practice and every client engagement we accept.
Every artefact we produce — a RoPA, a DPIA, a breach playbook — is written to survive a regulator's review, not to look good in a board pack. If it cannot defend itself in front of SDAIA, the DPDP Board or a UAE inspector, it does not leave the practice.
No analyst layer. No "we'll have someone get back to you." The privacy counsel on the kickoff call is the privacy counsel writing the deliverable — and the one named in the DPO-as-a-Service mandate.
KSA PDPL is not GDPR. India DPDP Act is not the UAE law. We write to the actual local regulation in front of us — not to a generic "global privacy" template imported from a Western framework.
We do not publish client logos without permission. We do not name engagements in marketing material. The work speaks at the regulator's desk — not on a homepage carousel.
If a privacy notice cannot be read by a customer, it has failed. If a board memo cannot be read by a non-lawyer director, it has failed. Complexity is a craft problem — and our job is to absorb it on the client's behalf.
Privacy is not a one-time project. The DPOaaS retainer that started in year one is the one quietly handling the regulator notification in year four. We staff and price for the long arc — not the engagement quarter.
Open roles across Riyadh and the India practice. Every position is senior — minimum five years on the privacy side, with at least one named regulator engagement on the CV. If you are looking for a generalist compliance role, this is not the firm.
Don't see a role that fits? We keep a standing bench of associate counsel and fractional DPOs — write to careers@veltrixair.com with a short note on the regulator-facing work you've signed your name to.
Six senior team members carry the weight of every active engagement. Each is named on at least one DPOaaS mandate. Each has signed off on a regulator submission in the last twelve months.
Practice lead. Owns the firm's privacy methodology end-to-end — and personally signs off every cross-border transfer assessment that leaves the practice.
Operational governance lead. Owns engagement SLAs, the cross-jurisdiction delivery model, and the firm's quality gate before any artefact leaves the practice.
Named expert on SDAIA, UAE Data Office and DPDP Board engagements. Lead author on every regulator-response document the firm files.
Heads the DPIA / PIA / TIA bench. Owns the firm's risk-rating methodology and the playbook for high-risk processing under KSA PDPL Article 19 and India DPDP Section 10.
Engineering bench lead. Owns the consent-management deployment model, DSR automation patterns, and the technical control library used across enterprise clients.
Runs the fractional DPO bench. Personally fronts retained DPO mandates for healthcare, edtech and hospitality clients across the GCC.
Whether you are looking to brief us on a regulator-facing program, or you are a senior privacy practitioner looking for a firm that takes the work seriously — the conversation starts the same way.