A CRM purchase is also a data-processing decision
When you sign a CRM contract, you're not just buying software — you're appointing a data processor under the UAE Personal Data Protection Law. Your DPO is going to ask the questions below at some point. Better to ask them during procurement than during an audit.
The 12 questions
- Where is our data hosted? Get a country and a data-center provider. Vague answers ("the cloud") fail PDPL.
- Can we get UAE residency? If yes, at what tier? If no, what's the cross-border transfer mechanism?
- What's your standard DPA look like? Ask for the template before you sign the order form, not after.
- Who are your sub-processors? Get a written list with the country and purpose of each.
- How do you handle a Subject Access Request (SAR)? Can the customer fulfill it in the admin UI, or do they need to file a ticket?
- What's your breach-notification commitment? PDPL gives you 72 hours to notify the regulator. A vendor that commits to "best effort" doesn't help you meet that.
- What lawful-basis fields does your system capture? Consent / contract / legitimate interest should be on every record.
- Can data be cryptographically deleted from backups? Some vendors only soft-delete. PDPL right-to-erasure usually requires hard.
- What's your audit-log retention? How long, who can read it, can the customer export it?
- Do you train staff on PDPL specifically? Generic "security awareness" is not the same thing.
- Are you certified or attested by an independent party? SOC 2 Type 2, ISO 27001, or pending — the truth matters here.
- Will you sign a controller-to-processor DPA without modification? If the answer is "only on enterprise," that tells you something.
What a good answer looks like
Honest, specific, and willing to put commitments in the DPA. Vague answers, marketing-deck answers, or "we'll figure it out at the contract stage" answers are warnings.
For SOOMA AI's specific answers to all 12 questions, see the PDPL-compliant CRM page.