Pre-launch draft. Edah AI is preparing for commercial launch. This document is published in good faith as a draft of the terms that will apply to the service. Final, binding versions will be issued before the service is made available for paid use. Items shown in square brackets, such as [Effective Date] or [Legal Entity Name], will be completed prior to launch.

Last updated: [Effective Date]

This page sets out the compliance program of Edah AI and the Data Processing Agreement ("DPA") that forms part of the Edah AI Terms of Service. It is structured in two parts. Part A describes how the Edah AI platform is built to meet UAE regulatory requirements. Part B is the DPA that governs Edah AI processing of personal data on behalf of customers.

Part A. Compliance program

A.1 PDPL alignment

Edah AI is built to operate within the Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "PDPL") and the implementing regulations published by the UAE Data Office.

• Lawful bases for processing are configurable per scenario and per campaign, with the platform recording the basis used for each interaction.

• Data subject rights (access, correction, erasure, restriction, portability, objection, withdrawal of consent) are first-class workflows in the tenant dashboard.

• Consent capture is timestamped, channel-tagged, and written to a tamper-evident audit chain.

A.2 TDRA outbound compliance

All outbound calls are validated by a pre-dial compliance gate against 18 parameters in the synchronous dial path, including consent, calling windows in the recipient local timezone, public holidays, Do-Not-Call lists (national and tenant), caller-ID ownership, and scenario attestation. A call that fails any check is not placed, and the rejection is logged.

A.3 Data residency

All voice data (audio, transcripts, embeddings, derived PII, and audit records) is stored and processed inside the United Arab Emirates on infrastructure approved for PDPL workloads. Data does not leave the country during normal Service operation.

A.4 Tamper-evident audit chain

Every compliance-relevant event (consent capture, pre-dial gate decisions, dial, hangup, recording, knowledge base lookups, tool calls, transfers, deletions) is written as an audit row with a cryptographic hash that includes the hash of the previous row. Any modification of past records is immediately detectable.

A.5 PII redaction

Personal data identifiable to End Users (names, contact details, identification numbers, account numbers, payment data, medical and financial references) is redacted by default in persistent transcripts and audit records. The redaction model can be extended with tenant-specific patterns.

A.6 Encryption

Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or an equivalent industry standard. Key management follows separation of duties between the platform operator and the data owner where the law or contract requires it.

A.7 Access control and tenant isolation

Access to the platform is gated by role-based access control with multi-factor authentication for administrative roles. Tenant data is isolated at the database level (row-level security) and at the vector store level (tenant-scoped indexing). Cross-tenant data access is structurally prevented, not merely filtered by application code.

A.8 Incident response

Edah AI maintains a documented incident response process with defined severity tiers, on-call rotation, and customer notification commitments. Confirmed personal data breaches are notified to the data controller without undue delay and in any event within 72 hours of confirmation, with the information needed for the controller to meet its own notification obligations.

A.9 Certification roadmap

Edah AI is committed to achieving recognised security certifications appropriate to its scale and customer base, including ISO/IEC 27001 and SOC 2 Type II. Target dates and current status will be published on this page following commercial launch.

Part B. Data Processing Agreement

B.1 Scope and roles

This DPA applies when Edah AI ("Processor") processes personal data on behalf of the Customer ("Controller") in the course of providing the Service. The Controller determines the purposes and means of the processing. The Processor processes personal data only on the documented instructions of the Controller, except where required by law.

B.2 Definitions

Capitalised terms used and not otherwise defined have the meaning given to them in the PDPL or in the Edah AI Terms of Service. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed under this DPA.

B.3 Subject matter and duration

The subject matter of the processing is the operation of the Service for the Controller. The duration is the term of the Controller subscription to the Service, plus any post-termination period required to return or delete personal data.

B.4 Nature and purpose

The nature of the processing covers the collection, storage, transcription, analysis, voice synthesis, integration, and audit of communications and related data processed in the Service. The purpose is to provide the conversational voice AI service to the Controller.

B.5 Categories of data and data subjects

Personal data may include: contact identifiers (name, phone number, email), conversation content (audio, transcripts), interaction metadata (timestamps, outcomes, language), commercial data (booking and order details), and any other data the Controller chooses to process through the Service. Data subjects include the Controller users, the Controller customers, and any other individuals who interact with a voice agent.

B.6 Confidentiality

Edah AI ensures that personnel authorised to process personal data are bound by confidentiality obligations and have received training appropriate to their role. Access to personal data is limited on a need-to-know basis.

B.7 Security measures

Edah AI applies the technical and organisational measures described in Part A of this page. The Controller acknowledges those measures are appropriate to the risks of the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

B.8 Sub-processors

The Controller authorises Edah AI to engage sub-processors to support the Service. The current list of sub-processors is published on the Edah AI Subprocessors page. Edah AI will give the Controller at least 30 days prior written notice of any addition or replacement of a sub-processor, during which the Controller may object on reasonable data protection grounds. Edah AI imposes data protection obligations on each sub-processor that are no less protective than those in this DPA.

B.9 Data subject rights

Edah AI will provide reasonable assistance to the Controller, through tools in the dashboard and documented APIs, in enabling the Controller to fulfil requests from data subjects to exercise their rights under the PDPL and other applicable law.

B.10 Audits and information

Edah AI will make available to the Controller the information necessary to demonstrate compliance with this DPA. On reasonable prior written request and subject to confidentiality, Edah AI will permit audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Where audit rights can be satisfied by an independent third-party report (for example, SOC 2 or ISO/IEC 27001), Edah AI may discharge its audit obligation by providing such report.

B.11 Personal data breach notification

Edah AI will notify the Controller without undue delay, and in any event within 72 hours of confirmation, of any Personal Data Breach affecting the Controller personal data. The notification will include the information reasonably available to Edah AI to assist the Controller with its own notification and mitigation obligations.

B.12 Return and deletion

At the choice of the Controller, Edah AI will return or delete all personal data after the end of the provision of the Service relating to processing, and delete existing copies, unless retention is required by law. Default deletion windows are set out in the Privacy Policy.

B.13 International transfers

Where Edah AI or a sub-processor processes personal data outside the UAE, the transfer is governed by a mechanism recognised under the PDPL, including adequacy determinations issued by the UAE Cabinet, contractual safeguards approved or accepted by the UAE Data Office, binding corporate rules, or other measures permitted by the law. The mechanism applicable to each sub-processor is noted on the Subprocessors page.

B.14 Governing law

This DPA is governed by the federal laws of the United Arab Emirates and is subject to the dispute resolution mechanism set out in the Edah AI Terms of Service.

Contact

Privacy and data protection: privacy@edah.ai

Security disclosures: security@edah.ai

Legal and commercial: legal@edah.ai

Website: edah.ai