Legal documentation

Eshal AI - Legal & Privacy

Eshal AI Limited · DIFC, Dubai, UAE · Company Registration Number: CL12214 · All documents effective 29 June 2026

⌘K
Document
Privacy Policy
Version
v1.1
Effective Date
29 June 2026
Entity
Eshal AI Limited (CRN: CL12214)
Jurisdiction
DIFC, Dubai, UAE
Privacy enquiry Submit DSR Request
✓ Current - v1.1 · 29 June 2026

Privacy Policy

Eshal AI Limited · DIFC, Dubai, UAE · CRN: CL12214 · eshal.ai/legal/privacy

1. Who We Are - Controller Identity

Eshal AI Limited is the data controller in respect of personal data collected through eshal.ai and the Eshal AI platform.

FieldDetails
Legal NameEshal AI Limited
DIFC RegistrationCompany incorporated in the Dubai International Financial Centre (DIFC). CRN: CL12214
Registered AddressDIFC, Dubai, United Arab Emirates
Operational AddressMaple 1, Villa 36, Dubai Hills Estate, Dubai, UAE
Privacy / Legal Emaillegal@eshal.ai
General Enquiriescontact@eshal.ai
Websitehttps://eshal.ai

2. Privacy Officer

Eshal AI Limited has designated a Privacy Officer responsible for data protection compliance and handling data subject enquiries under applicable privacy laws.

FieldDetails
RolePrivacy Officer
Contact Emaillegal@eshal.ai - subject line: "Attention: Privacy Officer"
Postal AddressDPO, Eshal AI Limited, Maple 1, Villa 36, Dubai Hills Estate, Dubai, UAE
Supervisory authority (DIFC)commissioner.difc.ae
EU/EEAWhere GDPR applies, EU data subjects may contact their local supervisory authority

3. What Personal Data We Collect

3.1 Data You Provide

  • Contact and identity data: name, email address, job title, company name, phone number
  • Account data: login credentials, profile information, user preferences
  • Communications data: content of emails, support tickets, demo requests
  • Payment and billing data: billing address, invoice details (payment card data is processed by our payment processor and not stored by us)

3.2 Data We Collect Automatically

  • Usage data: pages visited, features used, AI interaction metadata and operational logs, session duration
  • Technical data: IP address, browser type, device type, operating system, time zone
  • Cookie and tracking data: as described in Section 9 (Cookie Policy)

3.3 Data We Process on Behalf of Customers

When enterprise customers use the Eshal AI platform, they may upload or process personal data belonging to their own end users. In those cases, Eshal AI Limited acts as a Data Processor on behalf of the customer (Data Controller), governed by the Data Processing Addendum in the MSA. This Privacy Policy does not cover that processing.

4. How and Why We Use Your Personal Data

PurposeData UsedLawful Basis
Respond to enquiries and demosContact and identity data, communications dataContract performance / Legitimate interests
Provide and manage ServicesAccount data, usage data, technical dataContract performance
Service communicationsContact data, account dataContract performance / Legal obligation
Marketing communicationsContact data, usage dataConsent (withdrawable at any time)
Platform improvementAggregated, anonymised usage data (not Customer Data)Legitimate interests
Legal complianceAll categories as requiredLegal obligation
Security and fraud preventionTechnical data, usage dataLegitimate interests / Legal obligation
We do not sell, rent, or trade your personal data to third parties for their commercial purposes. Where we use "legitimate interests" as a basis, you may object at any time by contacting legal@eshal.ai.

5. Your Data Subject Rights

Depending on your jurisdiction, you have the following rights:

RightDescriptionDIFC/GDPRUAE PDPL
AccessReceive a copy of personal data held about you30 days5 business days
RectificationCorrect inaccurate or incomplete data30 days5 business days
ErasureRequest deletion (subject to retention obligations)30 daysWithout undue delay
RestrictionLimit how we process your data30 daysN/A
PortabilityReceive data in machine-readable format30 daysN/A
ObjectOpt out of marketing or legitimate-interests processingImmediate (marketing)Immediate
Withdraw ConsentWithdraw consent without affecting prior lawful processingImmediateImmediate
UAE Federal PDPL - 5 Business Day Response. If you are a UAE resident making a data access or rectification request under UAE Federal Decree-Law No. 45 of 2021, we will respond within 5 business days. If we need additional time, we will notify you within 5 business days and complete your request as soon as reasonably practicable.

To exercise any right, email legal@eshal.ai with subject line 'Data Subject Rights Request'. We may ask you to verify your identity. You may also lodge a complaint with the DIFC Commissioner of Data Protection or your local supervisory authority.

6. Who We Share Your Data With

6.1 Sub-processors

We share personal data with third-party service providers under written DPAs. Our approved sub-processor list is published in Annex A and at eshal.ai/legal/sub-processors. We will notify customers at least 30 days before adding or replacing any sub-processor.

6.2 Professional Advisers

We share data with lawyers, auditors, and accountants where necessary, all bound by professional confidentiality obligations.

6.3 Legal and Regulatory Authorities

We disclose data to courts, regulators (including the DIFC Commissioner), and law enforcement where required by applicable law.

6.4 Business Transfers

If Eshal AI Limited is acquired or merged, personal data may transfer to the acquiring entity under the same protections. Affected data subjects will be notified before any transfer.

7. International Data Transfers

DestinationInfrastructureSafeguard / Mechanism
UAE (SaaS default)AWS / Azure / GCP UAE regionUAE Federal Decree-Law No. 45 of 2021; DIFC DP Law
Saudi Arabia (KSA)Groq Cloud, Saudi ArabiaSaudi Arabia PDPL; NDMO data localisation compliance
EU/EEAEU-region cloud infrastructureStandard Contractual Clauses (EU Commission Decision 2021/914)
UKUK-region cloud infrastructureUK International Data Transfer Agreements (IDTAs)
Other regionsPer Order FormAppropriate safeguards as agreed in writing; documented in DPA

8. How Long We Keep Your Data

Data CategoryRetention PeriodBasis
Prospect and contact data2 years from last interactionLegitimate interests / Consent
Customer account dataSubscription Term plus 30 days post-terminationContract performance
Audit logs and system trails7 years minimumLegal obligation (DIFC DP Law; regulatory compliance)
Financial and billing records7 yearsLegal obligation (UAE financial records law)
Support and communications records3 years from last interactionLegitimate interests

9. Cookie Policy

9.1 What Are Cookies?

Cookies are small text files placed on your device. They help websites remember preferences, analyse traffic, and personalise content. Similar technologies include web beacons, pixels, and local storage.

9.2 Cookies We Use

TypePurposeExamplesDurationConsent?
Strictly NecessaryCore functionality - cannot be disabledSession tokens, security, load balancingSession or up to 1 yearNo
FunctionalRemember preferences and settingsLanguage, region, display settingsUp to 1 yearYes
AnalyticsUnderstand site usage (anonymised)Google Analytics, PostHogUp to 2 yearsYes
MarketingAd targeting and campaign measurementLinkedIn Insight, Google Ads, Meta PixelUp to 2 yearsYes

Open cookie settings to manage your preferences at any time. You can also change settings in your browser. To opt out of Google Analytics: tools.google.com/dlpage/gaoptout.

10. Automated Decision-Making and AI

10.1 Automated Decisions - GDPR Article 22

Where applicable to EU/EEA data subjects, we recognise your right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects (GDPR Article 22).

  • Eshal AI Limited does not use automated processing to make decisions about individuals that produce legal or similarly significant effects on Eshal's own behalf
  • Where Enterprise Customers use the platform to make or assist in automated decisions affecting their end users, those Customers are responsible for GDPR Article 22 compliance
  • Eshal provides configurable guardrails and human-escalation tools - see docs.eshal.ai/ai-governance
  • If you believe you have been subject to an automated decision without appropriate safeguards, contact legal@eshal.ai

10.2 Profiling

We may use personal data to create aggregated analytics about how the Eshal platform is used. This does not involve individual profiling that produces legal or significant effects. You have the right to object to any profiling by contacting legal@eshal.ai.

11. AI Governance and Data Protection

Governance ElementHow We Implement It
Human OversightConfigurable human-in-the-loop escalation paths; AI Agents can be configured to always offer human handoff
Model EvaluationRegular evaluation for accuracy, bias, fairness, and safety before deployment
Prompt SecurityDetection and mitigation of prompt injection attacks, adversarial inputs, and attempts to extract system instructions
Content GuardrailsPolicy-enforced content filtering to prevent harmful or out-of-policy AI outputs
MonitoringContinuous logging (Loki) and real-time alerting (Grafana/Alertmanager) of AI Agent interactions
No Training on Customer DataCustomer Data is never used to train or fine-tune foundation AI models without Customer's express written consent
Third-Party AI TransparencyWe disclose use of approved third-party AI model providers and notify Customers at least 30 days before material changes
AI Output AccuracyAI-generated outputs are probabilistic and may contain inaccuracies. Customers are responsible for validating outputs in high-risk contexts

Our full AI Governance Framework is at docs.eshal.ai/ai-governance.

12. Security of Your Personal Data

We implement appropriate technical and organisational measures including AES-256 encryption at rest, TLS 1.2+ in transit, MFA, RBAC, periodic independent penetration testing, and continuous security monitoring.

If you believe your data has been compromised, notify us immediately at security@eshal.ai.

13. Children's Data

Our Services are not directed to individuals under 18 years of age unless the Customer has obtained all legally required parental or guardian consents. Eshal AI Limited does not knowingly collect personal data from children. Contact legal@eshal.ai if you believe we have inadvertently collected a child's data and we will delete it promptly.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email to the address associated with your account and post a prominent notice on our website at least 14 days before the change takes effect.

15. Contact Us

Contact MethodDetails
Privacy enquirieslegal@eshal.ai - subject: "Privacy Enquiry" or "Privacy Officer"
General Enquiriescontact@eshal.ai
Operational AddressEshal AI Limited, Maple 1, Villa 36, Dubai Hills Estate, Dubai, UAE
Registered OfficeEshal AI Limited, DIFC, Dubai, UAE (CRN: CL12214)
DIFC Commissionercommissioner.difc.ae
Response Time5 business days for UAE PDPL; 30 days for all other requests

Annex A: Approved Sub-processor List

Last Updated: 29 June 2026. Live list: eshal.ai/legal/sub-processors. Enterprise Customers receive 30 days' advance notice before any sub-processor change.

Sub-processorPurposeLocationData ProcessedTransfer Mechanism
Amazon Web ServicesCloud infra, storage, computeUAE / Global (per Order Form)Customer Data, logsDPA / SCCs
Microsoft AzureCloud infra, email (M365), IntuneUAE / Global (per Order Form)Identity, email, platform dataDPA / SCCs
Google Cloud PlatformCloud infra, computePer Order FormCustomer Data (where selected)DPA / SCCs
Groq CloudSovereign AI compute (KSA)Saudi ArabiaKSA Customer DataDPA / Saudi PDPL
Core42 / G42 CloudSovereign cloud (UAE)UAEUAE Customer DataDPA / UAE PDPL
GitHub (Microsoft)Source code repositoryUSACode only (no customer PII)DPA / SCCs
Atlassian (Jira/Confluence)Project management, documentationAustralia / USAOperational data (no PII)DPA / SCCs
OpenAI / Anthropic / Google AIThird-party AI model inferenceUSA (API calls; no storage)Prompt data per session only; no retention by providerDPA / SCCs / zero-data-retention agreements

Privacy Policy v1.1 · 29 June 2026 · © 2026 Eshal AI Limited (CL12214)

Document
Terms of Service
Version
v1.1
Effective Date
29 June 2026
Governing Law
DIFC, Dubai, UAE
Currency
AED (primary) / USD
Ask a question Billing support
✓ Current - v1.1 · 29 June 2026

Terms of Service

Eshal AI Limited · DIFC, Dubai, UAE · CRN: CL12214 · eshal.ai/legal/terms

1. About Us and These Terms

1.1 Who We Are

These Terms of Service ('Terms') are a legal agreement between you and Eshal AI Limited ('Eshal', 'we', 'us'), a company incorporated in the Dubai International Financial Centre (DIFC), Dubai, UAE (CRN: CL12214).

FieldDetails
Legal NameEshal AI Limited
CRNCL12214 (Dubai International Financial Centre)
Registered AddressDIFC, Dubai, United Arab Emirates
Operational AddressMaple 1, Villa 36, Dubai Hills Estate, Dubai, UAE
Emaillegal@eshal.ai
Websitehttps://eshal.ai

1.2 Scope

These Terms apply to your use of the eshal.ai website and self-serve subscription access to the Eshal AI platform. Enterprise customers governed by a Master Service Agreement (MSA) should note that the MSA prevails over these Terms in all respects.

By creating an account, clicking 'I agree', or using the Services, you confirm you have read, understood, and agree to these Terms and our Privacy Policy.

2. The Services

2.1 What We Provide

  • AI Agent Builder for designing and deploying conversational workflows
  • Multi-channel integration (WhatsApp, web chat, voice, SMS, email)
  • Knowledge base management and document ingestion
  • Analytics and performance dashboards
  • API access and enterprise integration connectors

2.2 Service Availability and SLA

We target 99.9% monthly platform uptime. Our full SLA is at eshal.ai/legal/sla.

SLA Summary - Self-Serve Plans. Target uptime: 99.9% monthly. If uptime falls below 99.0%, you may be eligible for service credits. Credits are capped at one month's subscription fee. Request within 30 days of month end by emailing billing@eshal.ai.

2.3 Third-Party AI Models

The platform uses approved third-party AI model providers. Their availability is outside our direct control. Our SLA applies to the Eshal platform layer only. We will notify you of material changes with at least 30 days' advance notice.

3. Fees, Pricing, and Payment

3.1 Pricing and Currency

Our subscription plans are priced in UAE Dirhams (AED) and US Dollars (USD). The AED price on your invoice is the definitive amount payable. USD pricing at checkout is an indicative equivalent. All prices exclude UAE VAT (5%), which is applied where applicable.

Current Pricing. Subscription plan pricing is published at eshal.ai/pricing. The pricing confirmed on your checkout confirmation or Order Form is the definitive price for your subscription.

3.2 Payment Terms

  • Monthly subscriptions: invoiced and charged in advance at the start of each monthly period
  • Annual subscriptions: invoiced and charged in advance for the full year
  • Payment methods: credit/debit card, or bank transfer for annual plans over AED 10,000
  • Taxes: fees are exclusive of VAT and all applicable taxes

3.3 Refunds

Fees are non-refundable except:

  • Service credits if we miss the SLA uptime commitment
  • Termination for cause: pro-rata refund of prepaid fees for the unused period if you terminate due to our uncured material breach (14-day cure period)
  • 14-day cooling-off period: new subscribers who cancel within 14 days of first paid subscription, having made fewer than 500 AI interactions, are entitled to a full refund
  • As required by applicable law including UAE consumer protection law

3.4 Late Payment

Overdue amounts (more than 7 days) may incur interest at 1.5% per month. We may suspend access after written notice.

4. Acceptable Use

4.1 Permitted Use

You may use the Services for lawful purposes per our full Acceptable Use Policy (AUP).

4.2 Prohibited Uses

You must not use the Services to:

  • Violate any applicable law or regulation, or facilitate others to do so
  • Infringe any intellectual property, privacy, or other third-party right
  • Engage in fraud, deception, phishing, or social engineering
  • Transmit malware, viruses, or disruptive code
  • Reverse engineer or extract underlying AI models or algorithms
  • Build a competing AI customer experience product
  • Deploy AI Agents in high-risk regulated contexts without appropriate human oversight

4.3 AI Transparency Obligations

Because Eshal AI deploys conversational AI agents, you are responsible for ensuring your deployment meets applicable AI transparency and disclosure requirements:

  • Disclosure requirement: You must inform end users they are interacting with an AI system wherever required by applicable law, including UAE Federal Law No. 15 of 2020, GDPR Article 22, and equivalent regulations in your jurisdiction
  • No false human impersonation: AI Agents must answer truthfully when a user directly and sincerely asks whether they are speaking with a human or an AI
  • Regulated sector disclosure: For financial services, healthcare, or government deployments - include an AI disclosure at the outset of each interaction and provide an accessible option to speak with a human agent
  • Your own disclosures: Include AI usage disclosure in your end-user privacy policy and terms of service

5. Intellectual Property

5.1 Eshal AI Platform: All rights in the Eshal AI platform, software, algorithms, models, and documentation belong to Eshal AI Limited. These Terms grant you a limited, non-exclusive, non-transferable licence to use the Services during your subscription for your internal business purposes.

5.2 Your Data: You retain all rights to data, content, and materials you upload ('Customer Data'). We have a limited licence to use Customer Data solely to provide the Services. We claim no ownership of your data.

5.3 Feedback: Written feedback may be used by us to improve the platform without obligation to pay you. Feedback does not include Customer Data.

6. Data Protection

Our Privacy Policy governs how we collect and process personal data as a data controller. If you process personal data of your own customers through the platform, we act as a data processor. Self-serve customers processing personal data should contact legal@eshal.ai to request a Data Processing Agreement before commencing such processing.

7. Warranties and Disclaimers

We warrant that the Services will perform materially in accordance with our Documentation. We do not warrant that the Services will be uninterrupted or error-free.

AI Disclaimer. The platform uses probabilistic AI models. AI-generated outputs may be inaccurate, incomplete, or unexpected. You are responsible for reviewing AI outputs before relying on them in any regulated, professional, or high-stakes context. We do not warrant the accuracy or reliability of AI-generated content.
TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

8. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, OUR TOTAL LIABILITY TO YOU FOR ANY CLAIM SHALL NOT EXCEED THE FEES YOU PAID IN THE 12 MONTHS PRECEDING THE CLAIM. WE SHALL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, DATA, OR BUSINESS OPPORTUNITIES.

These limitations do not apply to: liability for fraud or wilful misconduct; our data protection obligations; death or personal injury caused by our negligence; or any other liability that cannot be excluded by applicable law.

9. Indemnification

9.1 Eshal Indemnification - IP

We will defend you against any third-party claim alleging that your authorised, unmodified use of the Services infringes a third party's intellectual property rights, and will pay damages finally awarded or agreed in settlement. This does not apply to claims from your modifications, Customer Data, or combination with non-Eshal products.

9.2 Your Indemnification

You will defend us against third-party claims arising from: your Customer Data or violation of third-party rights; your breach of AI transparency obligations (Section 4.3); your breach of these Terms or applicable law; or claims by your own end users.

10. Term and Termination

  • Subscription Term: Begins on sign-up and continues until cancelled. Monthly subscriptions renew monthly; annual subscriptions renew annually.
  • Cancellation: Cancel at any time via Account Settings or email billing@eshal.ai. Cancellation takes effect at the end of the current billing period.
  • Termination for Breach: We may terminate immediately if you materially breach and fail to cure within 14 days of written notice.
  • Data Export: You have 30 days from termination to export Customer Data. After 30 days, we will delete Customer Data per our Privacy Policy.

11. Disputes and Governing Law

Governing Law: These Terms are governed by the laws applicable in the DIFC, Dubai, UAE.

Informal Resolution: Contact legal@eshal.ai and allow 30 days to resolve the matter informally before starting formal proceedings.

Small Claims Carve-Out: Nothing prevents you from filing a claim in a small claims court in your jurisdiction, seeking emergency injunctive relief from any court of competent jurisdiction, or filing a complaint with a consumer protection or data protection authority.

Arbitration (B2B): B2B disputes that cannot be resolved informally shall be resolved by binding arbitration under DIAC Rules in English in Dubai.

Individual Claims Only. All disputes must be brought on an individual basis. Class action proceedings against Eshal AI Limited are not permitted.

12. General

  • Changes to Terms: We will notify you by email at least 14 days before material changes take effect. Annual subscribers who disagree may cancel before the new Terms take effect and receive a pro-rata refund.
  • Entire Agreement: These Terms, the Privacy Policy, SLA, and AUP form the entire agreement for self-serve use. Enterprise customers are governed by their negotiated Master Service Agreement - contact legal@eshal.ai to request one.
  • Severability: If any provision is found invalid, it will be modified to the minimum necessary. Remaining Terms continue in full force.
  • Assignment: You may not assign your rights without our written consent. We may assign in connection with a merger or acquisition.
  • Contact: Legal notices: legal@eshal.ai. General: contact@eshal.ai. Post: Eshal AI Limited, Maple 1, Villa 36, Dubai Hills Estate, Dubai, UAE (CRN: CL12214).

Appendix: SLA Summary - Self-Serve Plans

Full SLA: eshal.ai/legal/sla. Enterprise SLA governed by your MSA (Exhibit A).

MetricCommitmentNotes
Monthly Uptime Target99.9%Measured as (total minutes minus downtime) / total minutes × 100
Downtime DefinitionPlatform unavailable >5 consecutive minutesExcludes scheduled maintenance, Customer infrastructure, Third-Party AI Model outages, force majeure
Credit: 99.0%–99.9%10% of monthly feesCapped at 1× monthly fee
Credit: 95.0%–98.9%25% of monthly feesCapped at 1× monthly fee
Credit: Below 95.0%50% of monthly feesCapped at 1× monthly fee
How to Request CreditsEmail billing@eshal.ai within 30 days of month endCredits applied to next invoice within 14 days

Terms of Service v1.1 · 29 June 2026 · © 2026 Eshal AI Limited (CL12214)

Document
Service Level Agreement
Version
v1.0
Effective Date
29 June 2026
Applies To
SaaS & Sovereign Cloud deployments
Request credit Report incident
Version 1.1 · Last updated 29 June 2026

Service Level Agreement

Eshal AI Limited · DIFC, Dubai, UAE · CRN: CL12214 · eshal.ai/legal/sla

Quick Summary. Uptime target: 99.9% monthly. Service credits capped at 1× monthly fee. BC/DR: RTO < 4 hours, RPO < 1 hour. Credits must be requested within 30 days of month end - email billing@eshal.ai to claim.

1. Introduction and Scope

This Service Level Agreement (‘SLA’) sets out Eshal AI Limited’s uptime commitments, service credit entitlements, business continuity targets, and support response obligations. This SLA forms part of the Terms of Service and the Master Service Agreement (for Enterprise customers).

This SLA applies to SaaS and Sovereign Cloud deployments only. For VPC and On-Premise deployments, SLA commitments apply to the software layer only and are subject to Customer’s infrastructure performance.

2. Platform Uptime Commitment

2.1 Uptime Target

Eshal commits to maintaining 99.9% monthly uptime for the Platform for all SaaS and Sovereign Cloud deployments.

2.2 Uptime Calculation

Monthly Uptime % = (Total Minutes in Month − Downtime Minutes) ÷ Total Minutes in Month × 100
Uptime is measured continuously on a 24/7/365 basis across all calendar months.

2.3 Downtime Definition

‘Downtime’ means any period during which the Platform is unavailable and inaccessible to all Authorised Users for more than five (5) consecutive minutes.

2.4 Exclusions from Uptime Calculation

  • Scheduled Maintenance: planned maintenance windows notified at least 48 hours in advance (normally 02:00–06:00 Gulf Standard Time on weekends)
  • Emergency Maintenance: unplanned maintenance required to prevent or limit a security incident where advance notice is not reasonably practicable
  • Customer Infrastructure: downtime caused by Customer’s own network, systems, hardware, or configuration
  • Third-Party AI Model Outages: unavailability of approved third-party AI model providers outside Eshal’s direct control
  • Force Majeure: events beyond Eshal’s reasonable control including natural disasters, war, pandemic, government action, or major Internet infrastructure failures
  • Customer Breach: downtime resulting from Customer’s misuse of the platform or breach of the Terms of Service or MSA

3. Service Credits

3.1 Credit Entitlements

Monthly Uptime PercentageService CreditMaximum Credit Per Month
99.0% to 99.9%10% of that month’s subscription feeCapped at 1× monthly fee
95.0% to 98.9%25% of that month’s subscription feeCapped at 1× monthly fee
Below 95.0%50% of that month’s subscription feeCapped at 1× monthly fee
Credit Cap. Service credits are capped at one (1) month’s subscription fee per calendar month regardless of the duration or number of incidents. Credits are applied to future invoices and do not constitute cash refunds except where required by applicable law.

3.2 Sole Remedy

Service credits are Customer’s sole and exclusive remedy for Eshal’s failure to meet the uptime commitment, except where downtime results from Eshal’s gross negligence or wilful misconduct, or cumulative downtime in any calendar quarter exceeds 5% of available minutes.

3.3 How to Request Credits

  • Submit a credit request to billing@eshal.ai within 30 days of the end of the calendar month in which the downtime occurred
  • Include: the date(s) and time(s) of the incident(s); the duration; a brief description of the impact
  • Eshal will review and respond within 14 business days. Approved credits will be applied to the next invoice.

3.4 Scheduled Maintenance Notifications

Eshal will provide at least 48 hours’ advance notice via email to the account administrator and via status.eshal.ai. Eshal targets no more than 8 hours of scheduled maintenance per calendar month.

4. Business Continuity and Disaster Recovery

ObjectiveTargetDescription
Recovery Time Objective (RTO)< 4 hoursMaximum time from declared disaster to restoration of core platform services
Recovery Point Objective (RPO)< 1 hourMaximum data loss window
Backup FrequencyDaily incremental; Weekly fullAll production Customer Data backed up with AES-256 encryption
Backup Retention90 days rollingEncrypted, geographically redundant backup storage
Geographic RedundancyMulti-AZProduction deployments span multiple availability zones within the selected region
DR Test FrequencyAnnualFull failover simulation with documented results; available to Enterprise customers on request

5. Support Response SLA

The following summary applies to SaaS self-serve plans. Enterprise customers have accelerated response times per their MSA.

PLevelDefinitionSelf-Serve Response
P1CriticalComplete platform outage; major data loss; critical security breachWithin 24 hours
P2HighSignificant degradation; key feature unavailable; production impactWithin 48 hours
P3MediumPartial degradation; workaround available; non-critical feature issueWithin 5 business days
P4LowGeneral enquiry; documentation request; feature suggestionWithin 5 business days

6. Status and Monitoring

7. Changes to This SLA

Eshal may update this SLA from time to time. Material changes will be communicated by email to account administrators at least 30 days before they take effect.

SLA v1.0 · 29 June 2026 · © 2026 Eshal AI Limited (CL12214)

Document
Acceptable Use Policy
Version
v1.0
Effective Date
29 June 2026
Incorporated Into
Terms of Service & MSA (Exhibit D)
Report a violation Security report
Version 1.1 · Last updated 29 June 2026

Acceptable Use Policy

Eshal AI Limited · DIFC, Dubai, UAE · CRN: CL12214 · eshal.ai/legal/aup

1. Introduction

This Acceptable Use Policy (‘AUP’) governs your use of the Eshal AI platform, website, and all associated services (‘Services’) provided by Eshal AI Limited (‘Eshal’, ‘we’, CRN: CL12214). This AUP is incorporated into and forms part of the Terms of Service for self-serve customers, and the Master Service Agreement (Exhibit D) for Enterprise customers.

By accessing or using the Services, you agree to comply with this AUP. If you are using the Services on behalf of an organisation, you represent that you have the authority to bind that organisation to this AUP.

2. Permitted Uses

  • Deploying AI-powered conversational agents to support your own customer service, sales, support, and engagement workflows
  • Building and testing AI Agent workflows using the Agent Builder and workflow orchestration tools
  • Integrating the Platform with your own enterprise systems via the published API and supported integration connectors
  • Uploading lawfully obtained business content (knowledge base materials, FAQs, product documentation) for AI retrieval and grounding
  • Configuring AI Agents with your own branding, persona, and communication style in accordance with applicable AI transparency requirements
  • Generating analytics and performance reports on your AI Agent deployments
  • Evaluating the Services during a free trial or proof-of-concept period, within the scope of the trial agreement

3. Prohibited Uses

3.1 Illegal and Harmful Activity

  • Violate any applicable law, regulation, court order, or governmental directive in any jurisdiction in which you operate
  • Engage in or facilitate fraud, identity theft, phishing, social engineering, or financial crime
  • Produce, distribute, or process content that is defamatory, obscene, hateful, discriminatory, or threatening
  • Generate or distribute child sexual abuse material (CSAM) or any content that sexualises minors
  • Facilitate human trafficking, forced labour, or exploitation
  • Produce content designed to radicalise, incite violence, or promote terrorism
  • Violate sanctions regimes or export control laws including those of the UAE, UN, US, or EU

3.2 Intellectual Property and Data Rights

  • Upload, process, or transmit content that infringes any third party’s intellectual property rights without proper authorisation or licence
  • Upload personal data of third parties without a lawful basis for processing and appropriate privacy notices in place
  • Scrape, harvest, or collect data from the Platform or third-party systems in violation of their terms of service

3.3 Security and Platform Integrity

  • Attempt to gain unauthorised access to any part of the Platform or another customer’s account
  • Introduce or transmit malware, ransomware, viruses, trojans, worms, or any other malicious code
  • Conduct or facilitate denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Probe, scan, or test the vulnerability of any Eshal system or network without prior written authorisation from security@eshal.ai
  • Circumvent, bypass, or disable any security control, authentication mechanism, or rate limit
  • Attempt to reverse engineer, decompile, or extract the source code or underlying AI models of the Platform

3.4 Competitive and Commercial Restrictions

  • Use the Services to build, develop, train, or benchmark a competing AI customer experience platform without prior written consent from Eshal
  • Resell, sublicence, or provide access to the Services to third parties as a standalone commercial offering, without a formal reseller or partner agreement
  • Use the Services to evaluate them on behalf of a direct competitor of Eshal for competitive intelligence purposes

3.5 AI-Specific Restrictions

  • Deploy AI Agents configured to affirmatively claim to be human when directly and sincerely asked by an end user
  • Use AI Agents to make fully automated decisions with legal or similarly significant effects on individuals without appropriate human oversight
  • Deliberately engineer prompts or inputs designed to manipulate, deceive, harm, or exploit end users
  • Use prompt injection techniques to extract system instructions, bypass safety guardrails, or manipulate AI outputs
  • Generate synthetic media (deepfakes, fabricated audio, or manipulated video) of real identifiable individuals without their explicit consent
  • Deploy AI Agents in safety-critical contexts (medical devices, autonomous vehicles, nuclear systems) without appropriate regulatory approval and human oversight
  • Use the Services to create, test, or deploy malicious bots designed to spam, manipulate, or defraud end users

4. Content Standards

Content TypeRequirementExamples of Non-Compliance
Knowledge Base MaterialsMust be lawfully obtained; you must hold appropriate rights or licenceUploading copyrighted documents without licence; scraped competitor content
AI Agent PromptsMust not instruct the AI to deceive, harm, or manipulate usersInstructions to deny being an AI; instructions to extract personal data
End-User DataMust be processed with appropriate legal basis; personal data minimisedCollecting sensitive data without consent; retaining data beyond purpose
Integration DataMust be sourced from systems you are authorised to accessConnecting to a third-party system using stolen credentials

5. Your Responsibilities for AI Deployments

  • Ensuring your AI deployment complies with all applicable laws in the jurisdictions where it operates
  • Implementing appropriate disclosures that end users are interacting with an AI system, where required by law (see our AI Transparency Guidelines)
  • Configuring human escalation paths for scenarios where AI handling is inappropriate or where end users request to speak with a human
  • Reviewing and validating all AI-generated outputs before relying on them in regulated or high-risk contexts
  • Maintaining accurate and up-to-date knowledge base materials to minimise the risk of inaccurate AI outputs
  • Ensuring your own end users’ privacy rights are respected, including through an appropriate privacy policy that discloses your use of AI technology

6. Data Handling Obligations

In addition to your obligations under the Data Processing Agreement, you must:

  • Only upload or process personal data for which you have a documented lawful basis under applicable data protection law
  • Not upload special categories of personal data (health, biometric, financial, racial or ethnic origin, religious beliefs, etc.) to the Platform without appropriate additional safeguards and Eshal’s prior written consent
  • Ensure that personal data uploaded to the Platform is accurate, relevant, and not excessive for the stated processing purpose
  • Not use the Platform to circumvent data subject rights or to process personal data in a manner inconsistent with your own privacy policy

7. Reporting Violations

Report TypeContact
AUP Violationslegal@eshal.ai - subject: ‘AUP Violation Report’
Security Vulnerabilitiessecurity@eshal.ai - subject: ‘Security Vulnerability Report’
Child Safety Concernssecurity@eshal.ai - highest priority; escalated to relevant authorities
Data Breachessecurity@eshal.ai - response within 24 hours

8. Enforcement

Upon discovering or receiving a credible report of a violation, Eshal may - at its sole discretion and without liability to you - issue a written warning, temporarily suspend your access pending investigation, permanently terminate your account, remove or disable non-compliant content, report violations to law enforcement or regulatory authorities, or pursue civil remedies for damages caused by your violation.

Eshal is not liable for any damages, losses, or costs you incur as a result of enforcement actions taken in good faith. If you believe your account has been suspended or terminated in error, you may appeal by contacting legal@eshal.ai within 14 days of the enforcement action.

9. Changes to This AUP

Eshal may update this AUP from time to time. Material changes will be communicated by email to account administrators at least 14 days before they take effect. The current version is always published at eshal.ai/legal/aup.

AUP v1.0 · 29 June 2026 · © 2026 Eshal AI Limited (CL12214)

Document
Sub-processor List
Version
v1.0
Last Updated
29 June 2026
Notice Period
30 days before any change
Sub-processor enquiry
Version 1.0 · Last updated 29 June 2026

Sub-processor List

Eshal AI Limited · DIFC, Dubai, UAE · CRN: CL12214 · eshal.ai/legal/sub-processors

1. Introduction

Eshal AI Limited (‘Eshal’, CRN: CL12214) uses third-party service providers (‘sub-processors’) to deliver its AI-powered customer experience platform. As a data processor for our customers, we are committed to transparency about which sub-processors may process personal data on our behalf.

Notification Commitment. We provide at least 30 days’ advance written notice to customers before adding or replacing any sub-processor that processes personal data. Enterprise customers with a DPA may object in writing within 30 days of notification. The AI model providers listed below represent current approved providers; this list may change with appropriate notice.

2. How We Select Sub-processors

  • Security posture: SOC 2 Type II, ISO 27001, or equivalent independently verified security controls
  • Data protection: review of the sub-processor’s privacy practices, DPA willingness, and applicable transfer mechanisms
  • Contractual obligations: execution of a Data Processing Agreement imposing obligations at least equivalent to those Eshal accepts under its own DPA
  • Ongoing monitoring: annual security review or review of certification renewal

3. Current Sub-processor List

Last Updated: 29 June 2026.

Sub-processorCategoryPurposeHQ / Processing LocationPersonal Data ProcessedTransfer Mechanism
Amazon Web Services (AWS)InfrastructureCloud hosting, storage, compute, networkingUSA / UAE region (per deployment)Customer Data, platform logs, backupsSCCs / DPA
Microsoft AzureInfrastructure & ProductivityCloud infrastructure; Microsoft 365 for email, Teams, Intune MDMUSA / UAE regionIdentity data, email content, device management dataSCCs / DPA
Google Cloud Platform (GCP)InfrastructureCloud infrastructure and compute (selected deployments)USA / region per Order FormCustomer Data (where selected)SCCs / DPA
Groq CloudSovereign AI InfrastructureSovereign cloud compute for Saudi Arabia deploymentsKingdom of Saudi ArabiaKSA Customer Data; AI inference inputsDPA / PDPL
Core42 / G42 CloudSovereign InfrastructureSovereign cloud for UAE deploymentsUnited Arab EmiratesUAE Customer DataDPA / UAE PDPL
GitHub (Microsoft)DevelopmentSource code repository and CI/CDUSACode only - no customer personal dataSCCs / DPA
Atlassian (Jira / Confluence)Project ManagementProject tracking, internal documentationAustralia / USAOperational data - no customer personal dataSCCs / DPA
OpenAIAI Model ProviderThird-party LLM inference (where configured)USA (API; no persistent storage)Prompt data per session - zero-retention agreementSCCs / DPA
AnthropicAI Model ProviderThird-party LLM inference (where configured)USA (API; no persistent storage)Prompt data per session - zero-retention agreementSCCs / DPA
Google DeepMind / Vertex AIAI Model ProviderThird-party LLM inference (where configured)USA / EU (API; no persistent storage)Prompt data per session - zero-retention agreementSCCs / DPA
Microsoft Azure OpenAIAI Model ProviderThird-party LLM inference (where configured)USA / region per config (API)Prompt data per session - zero-retention agreementSCCs / DPA
StripePayment ProcessingPayment card processing and subscription managementUSABilling name, email, billing address; card data handled by Stripe (not Eshal)SCCs / DPA
ClerkAuthenticationUser authentication and session managementUSAEmail address, login events, session tokensSCCs / DPA

4. Transfer Mechanism Legend

CodeMeaning
SCCs / DPAEU Standard Contractual Clauses (Commission Decision 2021/914) and a Data Processing Agreement
DPA / PDPLData Processing Agreement compliant with Saudi Arabia PDPL; processing on sovereign infrastructure within KSA
DPA / UAE PDPLData Processing Agreement compliant with UAE Federal Decree-Law No. 45 of 2021; processing within UAE

5. AI Model Provider Notes

  • Zero Data Retention: We configure API calls to all Third-Party AI Model providers under zero-data-retention (ZDR) agreements or API terms that prohibit the provider from retaining, logging, or using prompt data for model training
  • No Training on Customer Data: No customer personal data or Customer Data is used by any approved AI model provider to train or fine-tune their foundation models
  • Session-Only Processing: Prompt data sent to AI model provider APIs is processed for inference only and is not persistently stored by the provider beyond the duration of the API call
  • Failover: Eshal maintains the ability to route traffic between model providers for resilience; Customers will be notified of material changes per the notification process below

6. Sub-processor Change Notification

Eshal will provide at least 30 days’ advance written notice to affected customers before adding a new sub-processor, replacing an existing sub-processor, or materially changing the purpose or scope of processing by an existing sub-processor.

Enterprise customers with a signed Data Processing Agreement may object in writing to a new or replacement sub-processor within 30 days of receiving notice. If a reasonable objection cannot be resolved, either party may terminate the affected service on 30 days’ notice with a pro-rata refund of prepaid fees.

7. Contact and Requests

Enquiry TypeContact
Privacy / DPA Enquirieslegal@eshal.ai - subject: ‘Sub-processor Enquiry’
DPA Requests (Self-Serve)legal@eshal.ai - subject: ‘DPA Request’
Security Questionssecurity@eshal.ai

Sub-processor List v1.0 · 29 June 2026 · © 2026 Eshal AI Limited (CL12214)

Document
Data Processing Agreement (Self-Serve)
Version
v1.0
Effective Date
29 June 2026
Governing Law
DIFC, Dubai, UAE
Request signed DPA
Version 1.0 · Last updated 29 June 2026

Data Processing Agreement

Self-Serve Customers · Eshal AI Limited (Processor) · CRN: CL12214 · eshal.ai/legal/dpa

Enterprise Customers: If you are governed by a Master Service Agreement, the DPA in Exhibit C of your MSA governs instead of this document. Request an MSA →

Preamble

This Data Processing Agreement (‘DPA’) is entered into between Eshal AI Limited, incorporated in the Dubai International Financial Centre (DIFC), Dubai, UAE (CRN: CL12214) (‘Eshal’, ‘Processor’) and the customer entity identified in the Order Form or account registration (‘Customer’, ‘Controller’).

This DPA governs the processing of Personal Data by Eshal on Customer’s behalf in connection with Customer’s use of the Eshal AI self-serve platform, and forms part of the Terms of Service. For Enterprise customers governed by a Master Service Agreement (MSA), the DPA in Exhibit C of the MSA governs instead.

This DPA takes effect on the date Customer accepts the Terms of Service or, if later, the date both parties sign the DPA signature page below.

1. Definitions

  • “Controller” means the party that determines the purposes and means of processing Personal Data - in this DPA, the Customer.
  • “Processor” means the party that processes Personal Data on behalf of the Controller - in this DPA, Eshal.
  • “Data Protection Laws” means all applicable privacy and data protection legislation, including DIFC Law No. 5 of 2020, UAE Federal Decree-Law No. 45 of 2021 (where applicable), the EU General Data Protection Regulation (GDPR, where applicable to EU data subjects), Saudi Arabia PDPL (where applicable to KSA data subjects), and all associated regulations and guidance.
  • “Personal Data”, “Processing”, “Data Subject”, “Supervisory Authority”, and “Personal Data Breach” have the meanings given in the applicable Data Protection Laws.
  • “Sub-processor” means any third party engaged by Eshal to process Personal Data in connection with the Services.
  • “Services” means the Eshal AI platform and associated services as described in the Terms of Service.

2. Roles and Scope of Processing

The parties acknowledge that, in relation to the processing of Personal Data described in Schedule 1:

  • Customer is the Controller - it determines why and how Personal Data is processed
  • Eshal is the Processor - it processes Personal Data only to provide the Services to Customer

Customer acknowledges that Schedule 1 represents its instructions to Eshal regarding the processing of Personal Data.

3. Controller Obligations

Customer, as Controller, represents and warrants that:

  • It has a documented lawful basis under applicable Data Protection Laws for each category of Personal Data it uploads or processes through the Services
  • It has provided appropriate privacy notices to Data Subjects explaining that their data may be processed by AI technology and shared with Eshal as a Processor
  • It will not instruct Eshal to process Personal Data in a manner that would cause Eshal to violate applicable Data Protection Laws
  • It will comply with all applicable Data Protection Laws in its role as Controller
  • It will ensure that Personal Data uploaded to the Platform is accurate, relevant, and not excessive for the stated purpose

4. Processor Obligations

4.1 Instructions

Eshal shall process Personal Data only on Customer’s documented instructions (as set out in this DPA, the Terms of Service, and any written instructions provided by Customer), unless required to do otherwise by applicable law. If Eshal is required by law to process Personal Data otherwise than per Customer’s instructions, Eshal will inform Customer before doing so (unless prohibited by law).

4.2 Confidentiality

Eshal shall ensure that all personnel authorised to process Personal Data under this DPA are bound by appropriate confidentiality obligations, whether by contract or statutory duty.

4.3 Security

Eshal shall implement and maintain technical and organisational security measures to protect Personal Data, including: AES-256 encryption at rest; TLS 1.2+ encryption in transit; multi-factor authentication (MFA) for all administrative access; role-based access controls (RBAC) enforcing least privilege; periodic independent penetration testing; and continuous security monitoring and alerting.

4.4 No AI Model Training on Customer Data

No Training on Customer Data. Eshal shall NOT use Personal Data or any other Customer Data to train, fine-tune, or improve any foundation AI model (including Third-Party AI Models) without Customer’s express prior written consent. Personal Data is used solely to provide the Services to Customer.

4.5 Data Subject Rights

Eshal shall provide reasonable assistance to Customer in responding to Data Subject rights requests. If Eshal receives a Data Subject request directly relating to Customer’s data processing, Eshal will promptly forward it to Customer without acting on it, as Customer is the Controller responsible for responding.

4.6 Privacy Impact Assessments

Eshal shall, upon Customer’s written request, provide information reasonably necessary to assist Customer in conducting Data Protection Impact Assessments (DPIAs) and prior consultations with Supervisory Authorities where required by applicable Data Protection Laws.

4.7 Deletion or Return of Data

Upon termination of the Terms of Service, or upon Customer’s written request, Eshal shall, at Customer’s election: (a) delete all Personal Data from its systems within 30 days; or (b) return all Personal Data in a machine-readable format within 30 days, following which Eshal shall delete its copies. Eshal may retain Personal Data beyond this period only to the extent required by applicable law or regulatory obligation (including a minimum 7-year retention period for audit logs). Eshal will notify Customer of any such mandatory retention.

5. Sub-processors

Customer grants Eshal general authorisation to engage the Sub-processors listed at eshal.ai/legal/sub-processors. Eshal will provide at least 30 days’ advance written notice before adding or replacing any Sub-processor. Customer may object within 30 days; if the objection cannot be resolved within a further 30 days, either party may terminate the Services on 30 days’ notice with a pro-rata refund. Eshal shall impose data protection obligations on each Sub-processor equivalent to those in this DPA and remains fully liable for each Sub-processor’s performance.

6. International Data Transfers

Transfer RouteSafeguardDetails
DIFC to third countriesDIFC DP Law Chapter 6 safeguardsTransfer mechanisms approved by DIFC Commissioner of Data Protection
EU/EEA to third countriesStandard Contractual Clauses (SCCs)EU Commission Decision 2021/914 Module 2 (Controller to Processor)
UK to third countriesUK International Data Transfer Agreements (IDTAs)UK equivalent of SCCs post-Brexit
KSA data subjectsSaudi Arabia PDPL / NDMOData processed on Groq Cloud sovereign infrastructure within KSA
UAE data subjectsUAE Federal Decree-Law No. 45 of 2021Data processed on Core42/G42 sovereign infrastructure within UAE

7. Personal Data Breach Notification

48-hour notification. Eshal shall notify Customer without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data Breach. The notification will include: the nature of the breach; categories and approximate number of Data Subjects affected; likely consequences; and measures taken to address it.

Eshal will provide reasonable assistance to Customer in complying with its regulatory breach notification obligations, including notification to the DIFC Commissioner of Data Protection within 72 hours where required under DIFC DP Law Article 36. A post-incident review report will be provided to Customer within 30 days of containment.

8. Audit Rights

  • Eshal may satisfy audit requests by providing relevant security documentation, third-party certification reports, or equivalent controls evidence in lieu of or in addition to a direct audit
  • Customer may conduct, or appoint a third-party auditor to conduct, an on-site audit with at least 30 days’ prior written notice
  • Audits are limited to once per calendar year, except where a Personal Data Breach has occurred affecting Customer’s data
  • Customer will bear the cost of any third-party auditor it appoints; Eshal may charge reasonable costs for internal time spent supporting the audit

9. Duration and Termination

This DPA remains in effect for the duration of the Terms of Service and for as long as Eshal processes Personal Data on Customer’s behalf. Upon termination, Eshal’s obligations continue until all Personal Data has been deleted or returned per Section 4.7. Sections 4.4, 6, 7, and 8 survive termination for so long as they remain relevant.

10. Governing Law

This DPA is governed by the laws applicable in the Dubai International Financial Centre (DIFC), consistent with the governing law of the Terms of Service. Data protection matters relating to EU/EEA data subjects are subject to the additional requirements of the GDPR and applicable EU law.

11. Order of Precedence

In the event of any conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA prevails. For Enterprise customers, the DPA in Exhibit C of the Master Service Agreement prevails over this self-serve DPA.

Schedule 1: Processing Details

FieldDetails
Subject matterProvision of AI-powered customer experience automation services via the Eshal AI platform
DurationFor the duration of the Terms of Service and any post-termination retention required by law
Nature of processingCollection, storage, use, analysis, retrieval, transfer, and deletion of Personal Data in connection with AI Agent operation, knowledge base retrieval, and platform analytics
Purpose of processingEnabling Customer to operate AI conversational agents for its end users; providing platform analytics and reporting; facilitating integrations with Customer’s enterprise systems
Types of Personal DataCustomer-defined. May include: contact details (name, email, phone); conversational data (chat transcripts, voice interactions); customer identifiers; business transaction data. Special categories of data must not be uploaded without Eshal’s prior written consent.
Categories of Data SubjectsCustomer’s end users; Customer’s employees or agents (where accessing the platform); other individuals whose data Customer includes in the knowledge base or AI inputs
Retention periodActive subscription: duration of the subscription plus 30 days post-termination for export. Audit logs: minimum 7 years. Customer-specific retention periods may be set in the platform settings.

Signature Page

Both parties agree to be bound by the terms of this Data Processing Agreement. This DPA may be executed electronically, and electronic signatures have the same legal effect as original signatures under applicable UAE law.

Eshal AI Limited (Processor) · CRN: CL12214 · DIFC, Dubai, UAE
Signature
Name
Title
Date
Customer (Controller)
Company Name
Signature
Name
Title & Date

To request a countersigned copy, email legal@eshal.ai with subject line ‘DPA Signature Request’.

DPA v1.0 · 29 June 2026 · © 2026 Eshal AI Limited (CL12214)

Document
Security Overview
Type
Technical (not a legal agreement)
Last reviewed
29 June 2026
Certifications
ISO/IEC 27001:2022 (Active) · SOC 2 in progress
Request security brief Report a vulnerability
Last reviewed · 29 June 2026

Security Overview

Eshal AI Limited · DIFC, Dubai, UAE · CRN: CL12214 · security@eshal.ai

This page describes how Eshal AI Limited secures customer data and platform infrastructure. It is a technical overview, not a legal agreement. Enterprise customers can request a full security brief, including third-party audit reports, by emailing security@eshal.ai.

1. Certifications

Certification / StandardScopeStatus
ISO/IEC 27001:2022Information Security Management System (ISMS) - covers design, development, deployment, operation, and support of the Eshal AI Concierge platform across SaaS, on-premises, and customer VPC deployment modelsActive
SOC 2 Type IITrust Services Criteria: Security, Availability, and ConfidentialityIn progress
HIPAAHealthcare data handling and safeguards for US healthcare customersRoadmap
ISO/IEC 27001:2022 - Certificate verification
Certificate number: 305026012334IS
Certifying body: QRO Certification LLP (IAF-accredited)
Site: Level 1, Innovation Hub, DIFC, Dubai, UAE
Last updated: 24 January 2026
Verify this certificate →

The certified scope covers the people, processes, technologies, and information assets used to deliver Eshal’s AI conversational and workflow automation services, including software development, cloud infrastructure (production and staging), deployment operations, data processing, security operations, and incident management. Full audit documentation is shared with enterprise customers during procurement - contact security@eshal.ai.

2. Infrastructure and hosting

RegionInfrastructureNotes
UAE (default)Amazon Web Services, Microsoft Azure, Google Cloud Platform - UAE regionsDefault SaaS deployment; data stays within the UAE
Saudi Arabia (sovereign)Groq Cloud - Kingdom of Saudi ArabiaKSA-resident data for Saudi deployments; PDPL-compliant
UAE (sovereign)Core42 / G42 Cloud - United Arab EmiratesUAE sovereign cloud option for government and regulated sectors
VPC / On-premiseCustomer’s own cloud account or data centreAvailable for enterprise; Eshal deploys into your environment
  • Multi-AZ redundancy: all production deployments span multiple availability zones within the selected region
  • No cross-border transfers without consent: customer data is processed in the region selected at onboarding; cross-region transfers require written agreement
  • No shared tenancy for sovereign deployments: VPC and sovereign cloud customers receive isolated compute and storage

3. Encryption

LayerStandardDetails
Data at restAES-256All customer data, backups, and platform databases encrypted at rest
Data in transitTLS 1.2 minimum (TLS 1.3 preferred)All API traffic, web traffic, and internal service communication encrypted in transit
BackupsAES-256All backup snapshots encrypted before storage
Key managementCloud-native KMSEncryption keys managed via the cloud provider’s Key Management Service; customer-managed keys available for enterprise deployments

4. Authentication and access control

4.1 Customer-facing authentication

  • Authentication managed by Clerk (a dedicated identity provider) - no passwords stored by Eshal directly
  • Multi-factor authentication (MFA) available and encouraged for all accounts; required for accounts with admin-level permissions
  • Session tokens rotated on authentication events; session timeout enforced
  • Single Sign-On (SSO) via SAML 2.0 available for enterprise customers

4.2 Internal access controls

  • All Eshal personnel access to production systems governed by role-based access control (RBAC) enforcing least privilege
  • MFA required for all internal administrative access to production infrastructure
  • Access to customer data by Eshal personnel is restricted, logged, and subject to approval workflows
  • Privileged access reviews conducted quarterly
  • All access events recorded in immutable audit logs retained for a minimum of 7 years

5. Monitoring and alerting

  • Continuous 24/7 security monitoring of platform infrastructure, API traffic, and application logs
  • Automated alerting on anomalous access patterns, authentication failures, and potential intrusion indicators
  • Platform availability monitored continuously; public status published at status.eshal.ai
  • Security events correlated and reviewed by the Eshal security team in real time
  • Dependency and container image scanning integrated into the deployment pipeline

6. Incident response

Eshal maintains a documented Incident Response Plan (IRP) covering detection, containment, investigation, notification, and post-incident review.

MilestoneCommitment
Initial responseSecurity incidents acknowledged within 24 hours of detection
Customer notification (breach)Within 48 hours of Eshal becoming aware of a Personal Data Breach (per DPA Section 7)
Regulatory notification assistanceEshal assists Customer in notifying DIFC Commissioner within 72 hours where required
Post-incident reportRoot-cause analysis and remediation summary delivered to affected customers within 30 days of containment

To report a security incident: security@eshal.ai. Emergency contact is available 24/7 for confirmed P1 incidents.

7. Backups and recovery

ParameterCommitment
Backup frequencyDaily incremental; weekly full snapshot
Backup retention90 days rolling
Backup encryptionAES-256; geographically redundant storage
Recovery Time Objective (RTO)< 4 hours (SaaS and Sovereign Cloud)
Recovery Point Objective (RPO)< 1 hour (SaaS and Sovereign Cloud)
DR testingAnnual full failover simulation; results available to enterprise customers on request
Audit log retentionMinimum 7 years (regulatory requirement)

Full SLA commitments including credit entitlements: eshal.ai/legal/sla.

8. Penetration testing

  • Independent penetration testing conducted periodically against the Eshal AI platform and supporting infrastructure
  • Findings remediated according to severity: critical within 24 hours, high within 7 days, medium within 30 days
  • Executive summary of the most recent penetration test (where completed) available to enterprise customers under NDA - contact security@eshal.ai
  • Customers may request to conduct their own security assessment with 30 days’ prior written notice; see DPA Section 8 for audit rights

9. AI model security

  • No training on customer data: customer data is never used to train, fine-tune, or improve any AI model without express written consent
  • Zero-data-retention agreements: all approved AI model providers operate under zero-data-retention API terms - prompt data is not persistently stored or used for model training by the provider
  • Prompt injection protection: platform-level controls detect and mitigate prompt injection attacks and adversarial inputs designed to bypass AI Agent guardrails
  • Content filtering: configurable guardrails prevent out-of-policy AI outputs; all AI interactions are logged for review
  • Human escalation: AI Agents are configured with accessible human handoff paths; automated decisions with significant effects require human oversight per the Acceptable Use Policy
  • AI governance documentation: docs.eshal.ai/ai-governance

10. Responsible disclosure

Eshal AI Limited operates a responsible disclosure programme. If you discover a security vulnerability in our platform, we ask that you report it to us privately before public disclosure so we can investigate and remediate.

FieldDetails
Report tosecurity@eshal.ai - subject: ‘Vulnerability Report’
What to includeAffected system or endpoint; description of the vulnerability; steps to reproduce; potential impact assessment
AcknowledgementWe will acknowledge receipt within 2 business days
Response commitmentInitial assessment within 5 business days; remediation timeline communicated within 14 days
Safe harbourResearchers acting in good faith, not accessing customer data beyond what is necessary to demonstrate the vulnerability, and reporting promptly will not face legal action from Eshal
RecognitionWe will acknowledge researchers by name in our security advisories (with their consent)
Out of scopeSocial engineering attacks against Eshal staff; physical attacks against Eshal premises; denial-of-service attacks; attacks against customer-controlled deployments
Do not access, modify, or exfiltrate customer data when testing. Limit testing to your own accounts and test environments. Any access to other customers’ data - even accidental - must be reported immediately to security@eshal.ai.

Security Overview · Last reviewed 29 June 2026 · ISO/IEC 27001:2022 certified (Active) · SOC 2 in progress · © 2026 Eshal AI Limited (CL12214)

Need an enterprise MSA?
Enterprise agreements are shared directly during the sales process - negotiated, confidential, and tailored to your deployment.
Contact legal@eshal.ai