The UAE PDPL-compliant CRM — what your DPO needs to sign off.
The UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) sets explicit obligations on controllers and processors who handle personal data of residents. SOOMA AI is built around those obligations from day one — not retrofitted, not "compliance posture available on enterprise."
What the UAE PDPL actually requires
PDPL applies to any organization that processes personal data of UAE residents, regardless of where the organization is based. The headline obligations:
- Lawful basis for every processing activity (consent, contract, legal obligation, vital/public interest, legitimate interest).
- Data subject rights — access, correction, deletion, portability, objection, right not to be subject to solely automated decisions.
- Controller / processor separation with explicit data-processing agreements.
- 72-hour breach notification to the UAE Data Office and affected data subjects.
- DPIA (Data Protection Impact Assessment) for high-risk processing.
- Cross-border transfer restrictions — out-of-country transfers need adequacy, SCCs, or explicit consent.
How SOOMA AI maps to each obligation
Lawful basis & consent capture
Every lead in SOOMA carries a lawful-basis field (consent / contract / legitimate interest), and consent captures are timestamped at the source — webform, WhatsApp opt-in, in-person QR. Consent withdrawal is a one-click operation that propagates through sequences and automations immediately.
Data subject rights — automated workflows
Access, correction, deletion, and portability requests are first-class flows in the platform admin. A DPO can fulfill a Subject Access Request (SAR) without engineering involvement: search by email or phone, export a portable JSON + CSV bundle, log the fulfillment in the audit trail. Deletion is cryptographic — the record is unrecoverable from backups after the standard retention window.
Controller / processor separation
You are the controller. SOOMA AI is the processor. We sign a Data Processing Agreement (DPA) on contract, and the DPA enumerates the processing activities we perform, the sub-processors we use, the retention windows, and the breach-notification chain.
72-hour breach notification
If a breach occurs in our environment, we commit to notifying the controller (you) within 24 hours of detection so you have time to meet your 72-hour obligation to the Data Office. We provide a templated notification packet — incident summary, affected data subjects, mitigations, evidence — that you can forward to the regulator.
DPIA documentation
For high-risk processing (AI lead scoring, automated communications, cross-border field reps), we provide a DPIA template scoped to the SOOMA processing activities. Your DPO completes the context-specific sections; the rest is pre-filled with our technical and organizational measures.
Cross-border transfers & data residency
On the Diamond plan, SOOMA AI runs in a UAE-resident environment (Supabase regional + Vercel edge-locked) — no personal data leaves the country. On Bronze, Silver, and Gold, processing happens in a regional EU/UAE blend; if your DPO requires UAE-only residency before signing, that's a Diamond requirement.
Other controls worth mentioning
- Encryption at rest (AES-256) and in transit (TLS 1.3).
- Role-based access control (RBAC) with four levels: super admin, admin, manager, rep.
- Row-level security on every multi-tenant query — reps see only their own leads.
- Audit log retained for 12 months on Silver+ and 7 years on Diamond.
- Quarterly penetration tests on the API and web app.
- SOC 2 Type 1 readiness in progress — target attestation Q4 2026.
What we don't claim
We don't have SOC 2 Type 2 yet — we're working on it. We don't have ISO 27001 yet — same. We're transparent about the gap because PDPL alignment is not the same thing as third-party-attested compliance, and your DPO deserves to know which we've cleared.
Want our PDPL controls mapped to your specific use case? Book a call with our trust team and we'll send a redlined draft DPA before the conversation.