1. Why we publish this list
DSH is a controller of personal data under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL"). When we use a third party to process data on our instructions, that third party becomes our processor.
Article 10 of the UAE PDPL requires the controller to:
- Pick processors that give enough technical and organisational guarantees.
- Sign a written contract that binds the processor to the same duties we owe you.
- Stay liable to you for what our processors do.
Article 16 of the UAE PDPL governs cross-border transfers. Personal data may leave the UAE only when the destination country offers an adequate level of protection, or when the controller puts a recognised safeguard in place such as standard contractual clauses, binding corporate rules, or your explicit consent.
We have the right to engage subprocessors to deliver our services. When we add or replace a subprocessor we will notify you in advance through the customer portal and by email. You have the right to object, as set out in section 5 below.
2. Subprocessors by category
2.1 Cloud hosting, CDN, and edge
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Vercel Inc. | Web hosting for dubaismarthome.ae | Page logs, IP, request headers | United States | Standard contractual clauses + Data Processing Addendum | https://vercel.com/legal/privacy-policy |
| Cloudflare Inc. | CDN, WAF, Zero Trust tunnel for portal | IP, request metadata, TLS metadata | United States and EU | Standard contractual clauses + DPA | https://www.cloudflare.com/privacypolicy/ |
| Amazon Web Services (AWS) | RMM data plane, log lake, customer portal database | Project records, device telemetry, support tickets | UAE me-central-1 (primary) and EU-west-1 (disaster recovery) | Primary processing inside UAE; EU mirror under SCCs | https://aws.amazon.com/privacy/ |
2.2 Smart-home cloud platforms
These platforms are activated only when you choose the matching brand of lighting, control, audio, or voice. The vendor is the data controller for its own end-user account; DSH is a processor on your behalf during installation and remote support.
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Lutron Electronics | RadioRA 3, HomeWorks QSX, Caseta cloud auth and remote keypad updates | Device IDs, firmware logs, your installer account | United States | SCCs + DPA at integrator level | https://www.lutron.com/en-US/Pages/Legal/PrivacyPolicy.aspx |
| Crestron Electronics | Crestron Home cloud auth and remote diagnostic | Project file metadata, device serials | United States | SCCs + DPA | https://www.crestron.com/Legal/Privacy-Statement |
| Snap One (Control4 4Sight) | Remote-monitoring portal for Control4 systems | Scene names, device status, alarm codes | United States | SCCs + DPA | https://www.snapone.com/privacy-policy |
| Ubiquiti Inc. (UniFi Cloud) | Network controller, remote management of switches and access points | MAC addresses, device names, traffic counters | United States | SCCs + DPA | https://www.ui.com/legal/privacypolicy/ |
| Apple Inc. (HomeKit, Home Hub, iCloud) | HomeKit pairing and iCloud sync of accessory state | Accessory identifiers, end-to-end encrypted home data | United States and EU | SCCs + DPA; end-to-end encryption for HomeKit data | https://www.apple.com/legal/privacy/en-ww/ |
| Amazon (Alexa) | Voice fall-back and routine triggers | Voice utterance metadata, account ID | United States and EU | SCCs + DPA | https://www.amazon.com/gp/help/customer/display.html?nodeId=GVP69FUJ48X9DT8X |
| Google LLC (Google Home, Assistant) | Voice fall-back and casting | Voice utterance metadata, device list | United States and EU | SCCs + DPA | https://policies.google.com/privacy |
| Sonos Inc. | Multi-room audio cloud and casting | Account ID, room names, content source IDs | United States and EU | SCCs + DPA | https://www.sonos.com/en/legal/privacy |
| Josh.ai Inc. | Private voice control, voice training, OTA updates | Voice training samples (opt-in), device IDs | United States | SCCs + DPA; on-device default, cloud opt-in | https://www.josh.ai/privacy |
2.3 Surveillance and access cloud
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Hikvision (Hik-Connect) | Camera and intercom remote view | Stream metadata, device serials | Hong Kong SAR with EU mirror | SCCs + DPA; on-prem NVR primary, cloud optional | https://www.hikvision.com/en/support/cybersecurity/privacy-policy/ |
| Axis Communications (Axis Companion) | Axis camera management | Device firmware logs, recording metadata | Sweden (EU) | EU adequacy under PDPL Art.16 | https://www.axis.com/about-axis/privacy |
| Motorola Solutions (Avigilon Cloud) | Avigilon ACC cloud connection | Device IDs, alarm events | United States and EU | SCCs + DPA | https://www.motorolasolutions.com/en_us/about/privacy-policy.html |
| Mobotix AG | Mobotix camera management | Device IDs, firmware logs | Germany (EU) | EU adequacy under PDPL Art.16 | https://www.mobotix.com/en/privacy-statement |
2.4 Energy stack monitoring
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| SolarEdge Technologies | PV inverter monitoring | Generation data, inverter serial | Israel and EU | SCCs + DPA | https://www.solaredge.com/us/legal/privacy-policy |
| Enphase Energy | Microinverter and battery monitoring | Generation data, battery state | United States | SCCs + DPA | https://enphase.com/en-us/privacy-policy |
| Tesla Inc. | Powerwall and Tesla mobile app pairing | Battery state, charge cycles | United States | SCCs + DPA | https://www.tesla.com/legal/privacy |
| Span.IO | Smart electrical panel monitoring | Per-circuit consumption | United States | SCCs + DPA | https://www.span.io/privacy-policy |
| Wallbox Chargers (myWallbox) | EV charger telemetry | Charge sessions, kWh, vehicle ID | Spain (EU) | EU adequacy under PDPL Art.16 | https://wallbox.com/en_uk/legal/privacy-policy |
| ABB Ltd (ChargerSync) | ABB EV charger management | Charge sessions, firmware logs | Switzerland and EU | EU adequacy + SCCs | https://new.abb.com/privacy-notice/customers |
2.5 Remote monitoring, management, and observability
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Auvik Networks | Network RMM | Topology, device names, SNMP counters | Canada | SCCs + DPA; Canada has UK adequacy | https://www.auvik.com/privacy-notice/ |
| Domotz | Network and device RMM | Ping data, device names, MAC addresses | United Kingdom | SCCs + DPA | https://www.domotz.com/privacy-notice.php |
| Datadog Inc. | Application logs and infra metrics | Service logs, request traces | United States and EU | SCCs + DPA | https://www.datadoghq.com/legal/privacy/ |
| Sentry (Functional Software Inc.) | Error logging from web and portal | Stack traces, scrubbed user agent | United States and EU | SCCs + DPA | https://sentry.io/privacy/ |
2.6 Productivity and customer operations
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Google Workspace (Google LLC) | Email, calendar, Drive for project documents | Email, attachments, calendar | EU and United States | SCCs + DPA | https://workspace.google.com/terms/dpa_terms.html |
| HubSpot Inc. | CRM, lead nurture, ticketing | Contact details, deal stage, email logs | EU (Frankfurt) | EU adequacy under PDPL Art.16 | https://legal.hubspot.com/privacy-policy |
| Calendly LLC | Booking calls with our team | Name, email, time zone | United States | SCCs + DPA | https://calendly.com/privacy |
| Slack (Salesforce Inc.) | Internal team messaging, on-call alerts | Project channel data | United States and EU | SCCs + DPA | https://slack.com/trust/privacy/privacy-policy |
2.7 Backup
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Backblaze Inc. (B2) | Encrypted cloud backup of project files | Encrypted blobs (we hold the keys) | United States and EU | SCCs + DPA; client-side encryption | https://www.backblaze.com/company/privacy.html |
| Wasabi Technologies | Encrypted secondary backup | Encrypted blobs (we hold the keys) | EU (Amsterdam) | EU adequacy + DPA | https://wasabi.com/legal/privacy-policy |
2.8 Payment processing
When you pay an invoice or a deposit, the card data is captured by the payment processor and is never stored on DSH systems.
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Stripe Payments Europe Ltd. | Card processing for AED, USD, EUR | Tokenised card data, billing address | Ireland (EU) | EU adequacy under PDPL Art.16 | https://stripe.com/en-ae/privacy |
| Telr Services FZ-LLC | Local AED card processing | Tokenised card data | UAE (Dubai) | Onshore UAE; no cross-border transfer | https://www.telr.com/legal/privacy-policy/ |
| Network International LLC | Local AED card processing for B2B | Tokenised card data | UAE (Dubai) | Onshore UAE; no cross-border transfer | https://www.network.ae/en/privacy-policy |
2.9 Web analytics
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Plausible Analytics | Cookieless website analytics | Aggregated visit counts, no personal IDs | EU (Germany) | EU adequacy under PDPL Art.16 | https://plausible.io/privacy |
| Google Analytics 4 (Google LLC) | Website analytics with IP anonymisation enabled | Truncated IP, page path | EU and United States | SCCs + DPA; IP anonymisation on by default | https://policies.google.com/privacy |
2.10 Voice and AI
We use AI services only as a fall-back path or to assist our support staff. They are not used to process biometric data inside customer villas without your written consent.
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| OpenAI Ireland Ltd. | Optional transcription fall-back for support audio | Transcribed text only, no training | Ireland (EU) | EU adequacy + zero-retention API tier | https://openai.com/policies/privacy-policy |
| Anthropic PBC | Claude API for support automation | Customer support tickets, no training | United States | SCCs + DPA; zero-retention enterprise tier | https://www.anthropic.com/legal/privacy |
| Microsoft Azure Speech (Microsoft Ireland) | Arabic ASR fall-back | Audio chunks, transcripts | EU (Netherlands) | EU adequacy under PDPL Art.16 | https://privacy.microsoft.com/en-us/privacystatement |
2.11 Government API
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Islamic Affairs and Charitable Activities Department (IACAD) | One-way ingest of UAE prayer-times for Adhan-aware lighting, audio, voice | Public prayer-time table, no personal data | UAE (Dubai) | Onshore public dataset; no personal data flows out | https://www.iacad.gov.ae |
2.12 Secure remote support
| Name | Service we use it for | Data category | Country of processing | Lawful transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Tailscale Inc. | WireGuard tunnels for technician-to-villa support | Tunnel metadata, no traffic content | United States and EU | SCCs + DPA; end-to-end encrypted | https://tailscale.com/privacy-policy |
3. How we vet a new subprocessor
Before any vendor in the table above is given access to customer data, our operations team runs a four-step check:
- Contract. A signed Data Processing Addendum that binds the vendor to UAE PDPL Article 10 duties, including breach notice, audit rights, and deletion on termination.
- Security evidence. Current ISO 27001 certificate, SOC 2 Type II report, or equivalent. Where the vendor is a hardware-control cloud, we accept an IEC 62443 attestation.
- PDPL Article 16 transfer check. We confirm the destination country and pick a lawful transfer mechanism. We prefer UAE-resident processing first, then EU adequacy, then SCCs.
- Sub-region preference. Where the vendor offers UAE or GCC region hosting we select that region by default. EU is our second preference. United States is the last resort and only with SCCs in place.
4. How we notify you of new subprocessors
Whenever we add or replace a subprocessor we will:
- Email the account contact listed in your project file.
- Post a portal notice with the vendor name, the data category, and the lawful transfer mechanism.
- Update this page and the Last updated date.
The notice goes out at least 30 days before the new subprocessor goes live. This 30-day window is your objection window, in line with UAE PDPL principles on transparency and the data subject right to object under Article 13.
5. Your right to object and your right to terminate
You may object to a new subprocessor by emailing support@dubaismarthome.ae during the 30-day notice window. We will then either:
- Offer a workaround, for example a regional alternative or an on-prem-only deployment of the same function.
- Pause the rollout for your account until we can offer a workaround.
- Allow you to terminate the affected service line for cause, with a pro-rata refund of any prepaid fees, where no workaround is possible.
You may also raise a complaint with the UAE Data Office under Article 25 of the UAE PDPL.
6. Last updated
This list was last updated on 22 June 2026. We review the list at least every six months and on every onboarding of a new platform.
For privacy questions please contact:
support@dubaismarthome.ae
One Central, 8th and 9th Floor, Trade Centre 2, Dubai, United Arab Emirates
+971 50 506 1871