VoiCase Favicon

Hance Consulting FZE

United Arab Emirates

Email: info@hanceconsulting.com | hello@voicase.me

Website: www.hanceconsulting.com | www.voicase.me

Hance Consulting

Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the Master Services Agreement ("Agreement") between:

Client ("Controller")
and
Hance Consulting FZE, operating VoiCase ("Processor").

This Addendum applies to the extent Processor processes Personal Data on behalf of Controller in connection with the VoiCase platform.

1. Purpose and Legal Framework

This Addendum governs Processing of Personal Data under:

  • UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)
  • Applicable GCC data protection regulations, where relevant

In case of conflict, this Addendum prevails regarding data protection matters.

2. Roles of the Parties

2.1 Controller determines the purposes and means of Processing Personal Data.

2.2 Processor processes Personal Data solely on documented instructions of Controller, including instructions provided through the configuration and use of the Service.

2.3 Processor shall not determine independent purposes of Processing.

3. Scope of Processing

3.1 Nature and Purpose

Processing includes hosting, storage, organization, classification, retrieval, consultation, and deletion of internal whistleblowing and case management reports.

3.2 Categories of Data Subjects

  • Employees
  • Contractors
  • Internal stakeholders
  • Report submitters (including anonymous users)

3.3 Categories of Personal Data

May include:

  • Name (if not anonymous)
  • Email address
  • Job title / department
  • Internal disciplinary warnings
  • Investigation notes
  • Attachments and supporting documents
  • System log data (including IP address)

Controller acknowledges that whistleblowing reports may contain allegations of misconduct. Controller is solely responsible for determining the lawful basis for processing such information.

Processor does not intentionally process official criminal record data, biometric data, or government-issued sensitive identifiers.

4. Hosting and Data Location

4.1 Infrastructure Provider: Amazon Web Services (AWS).

4.2 Hosting Region: GCC region.

4.3 Processor shall not intentionally transfer Personal Data outside the GCC region without:

  • Controller's prior written authorization; and
  • Appropriate safeguards as required by applicable law.

5. Sub-Processors

5.1 Processor may engage infrastructure and technical service providers necessary to operate the Service.

5.2 Processor shall ensure such sub-processors are bound by data protection obligations no less protective than those set forth herein.

5.3 Processor's liability for sub-processors shall be subject to the limitations of liability set forth in the Agreement.

5.4 A current list of material sub-processors shall be made available upon reasonable request.

6. Security Measures

Processor implements appropriate technical and organizational measures, including:

6.1 Technical Measures

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest
  • Role-based access controls (RBAC)
  • Multi-factor authentication (MFA) for administrative access
  • Audit logging
  • Secure cloud infrastructure (AWS GCC)
  • Logical segregation of client environments

6.2 Organizational Measures

  • Restricted personnel access on need-to-know basis
  • Confidentiality obligations
  • Internal access review controls

Processor shall maintain safeguards appropriate to the risk presented by the Processing.

7. Data Retention and Deletion

7.1 Default data retention period: thirty (30) days unless otherwise configured by Controller.

7.2 Controller may configure retention settings within the platform.

7.3 Upon termination of the Agreement and written request by Controller, Processor shall delete or return Personal Data.

7.4 Notwithstanding the foregoing, Processor may retain Personal Data in secure backup systems for a limited period consistent with standard backup retention policies, provided such data remains protected and is not actively processed.

8. Data Subject Rights

8.1 Processor shall provide reasonable assistance to Controller in responding to valid data subject rights requests, where technically feasible.

8.2 Controller remains solely responsible for validating and responding to such requests.

9. Personal Data Breach

9.1 Processor shall notify Controller without undue delay and, where feasible, within seventy-two (72) hours after confirmation of a Personal Data Breach affecting Controller Data.

9.2 Notification may be provided in phases as additional information becomes available.

9.3 Controller is responsible for regulatory notification obligations.

10. Automated Processing

10.1 Processor may use automated tools to assist with categorization, pattern recognition, and report organization.

10.2 Such tools do not replace human review and do not produce legal or similarly significant effects.

10.3 Final investigation decisions remain solely with Controller.

11. Audit Rights

11.1 Controller may request reasonable documentation demonstrating Processor's compliance with this Addendum.

11.2 On-site audits:

  • Require reasonable prior written notice
  • Shall not occur more than once per calendar year unless required by law
  • Must not compromise Processor's confidential information or infrastructure security

11.3 Audits shall be conducted during normal business hours and subject to confidentiality obligations.

12. Confidentiality

Processor shall ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.

13. Indemnification

Controller shall indemnify and hold Processor harmless against any claims, damages, or regulatory penalties arising from:

  • Controller's unlawful instructions;
  • Controller's failure to establish a lawful basis for Processing;
  • Content submitted by users of the Service.

14. Limitation of Liability

Liability under this Addendum shall be subject to the limitations of liability set forth in the Agreement.

Nothing in this Addendum shall expand Processor's liability beyond the limits agreed in the Agreement.

15. Term

This Addendum remains in effect for the duration of the Agreement and for as long as Processor processes Personal Data on behalf of Controller.

Voicase Whistleblowing & Case Management is a Product of Hance Consulting FZE