Compliance · UAE PDPL · Saudi PDPL
Voice AI Under GCC PDPL
Last updated: 2026-04-18
Audience: CTOs, CISOs, and data-protection officers at GCC enterprises evaluating voice-AI platforms.
This page summarises how VoxSign's architecture aligns with UAE PDPL
(Federal Decree-Law No. 45 of 2021) and Saudi Arabia PDPL. It is an
engineering-led reading of the regulations, not legal advice.
Procurement teams should cross-check against their in-house counsel
or the official authorities (UAE Data Office,
Saudi SDAIA).
1. Two-sentence TL;DR
VoxSign's heavy compute (ASR, LLM, embeddings) runs on a GPU you control — your workstation, an in-country data centre, or a customer VPC. The Center coordination service can be deployed inside UAE or Saudi borders; outbound egress is optional, off by default, and configurable per tenant.
2. What PDPL actually requires
Both regimes converge on six obligations relevant to voice AI:
- Lawful basis for processing (consent or documented legitimate interest).
- Purpose limitation — data collected for X is not silently repurposed for Y.
- Data minimisation — do not collect more than needed.
- Cross-border transfer controls — audio and transcripts may not leave the jurisdiction without safeguards.
- Data-subject rights — access, correction, deletion, portability.
- Breach notification — 72 hours to the regulator.
3. PDPL clauses ↔ VoxSign controls
| Obligation | How VoxSign supports it |
|---|---|
| Lawful basis (UAE Art. 4, KSA Art. 5) | Per-user consent captured at onboarding, stored with timestamp + consent version. |
| Purpose limitation (UAE Art. 5, KSA Art. 6) | Voice data scoped to enabled features only. No silent analytics. |
| Data minimisation | Only transcripts (not audio) reach the Center. Hard-example archive stores audio hashes. |
| Cross-border transfer (UAE Art. 22, KSA Art. 29) | Enterprise deployments run fully on customer infrastructure. Hosted tenants can pin all data to a region. |
| Data-subject rights | Export + delete endpoints exposed in the API. |
| Breach notification | Documented 72-hour incident-response SOP (available under NDA). |
4. Deployment modes and PDPL posture
| Mode | Data lives at | Typical customer |
|---|---|---|
| Self-hosted Edge, no Center | Customer hardware only | Banks, government, healthcare, defence |
| Self-hosted Edge + Self-hosted Center | Customer DC, both tiers | Large GCC enterprises |
| Self-hosted Edge + VoxSign-hosted Center (in-region) | Customer edge + regional Center | Mid-market GCC SaaS |
| VoxSign-hosted everything | VoxSign infrastructure | Non-regulated workloads |
5. Default sub-processor list
The default Enterprise deployment uses no third-party AI processors. Cloud providers are opt-in per tenant:
- DashScope — Arabic ASR fallback (only when local ASR fails). Disabled by default.
- Claude API / OpenAI API — conversational replies. Disabled by default.
6. What we do not claim
- SOC 2 Type II — not audited yet. Target 2027-Q1.
- ISO 27001 — not audited yet.
- HIPAA — not a covered BAA processor.
- Explicit UAE / Saudi regulator certification — we follow the letter of both laws but have not yet sought a formal "adequate processor" declaration.
7. Next steps for a regulated evaluation
- Email security@voxsign.ai with your jurisdiction, workload, and deployment preference.
- We send the DPA template and a pre-filled security questionnaire.
- 30-day POC on your hardware at no cost — scoped to 10 users and 10 k utterances with up-front success metrics.
- Go / no-go decision. If no-go, full data deletion certificate.
Full 10-section compliance guide (with DPA template and data-flow
diagrams) is available under NDA. Request a copy at
security@voxsign.ai.