DPA & Compliance
Certifications
- ΕΛΟΤ EN ISO/IEC 27001:2023 (ISO/IEC 27001:2022) — ΣΔΑΠ/00141/01 (UCERT (ΕΣΥΔ accredited, no. 1224)), valid 2026-05-20–2029-05-19
- ΕΛΟΤ EN ISO/IEC 27701:2021 (ISO/IEC 27701:2019) — ΣΔΠΙ/00120/01 (UCERT (ΕΣΥΔ accredited, no. 1224)), valid 2026-05-20–2029-05-19
Data retention
| Category | Default | Configurable | Deletion mechanism |
|---|---|---|---|
| Call recordings and transcriptions (AI and human legs) | 30 days | Per customer and per AI agent, 0–180 days; stricter policies additionally anonymize the caller phone number and clear conversation content | Automated daily retention job; permanent deletion from object storage |
| Operational logs (audit, system, activity, call, SIP) | 7 days | Extended retention available by specific agreement | Automatic deletion via database TTL indexes |
| Database backups (MongoDB platform data) | 30 days | Extended retention available by specific agreement | Automatic deletion from AWS S3 after 30 days (daily backup job cleanup) |
| All customer data after contract termination | Return and/or destruction within 60 days (reversibility window); minimum 30 days post-termination retention | Per the Data Processing Agreement | Company purge — permanent deletion of all stored objects and records |
Technical & organizational measures
| Area | Measure |
|---|---|
| Encryption in transit | HTTPS/TLS for web, API and WebSocket interfaces. SIP over TLS and SRTP for voice where supported by the interconnected carrier/PBX; otherwise UDP/RTP restricted at network level (IP allowlisting, firewall). |
| Encryption at rest | Files (recordings, transcriptions, attachments) stored in AWS S3 eu-north-1 with AES-256 server-side encryption. Sensitive credentials and integration tokens encrypted at application level with AES-256-GCM. User passwords stored as bcrypt hashes only. |
| Hosting | Primary infrastructure (application servers, self-hosted MongoDB/Redis, voice stack) on Hetzner dedicated servers in Frankfurt (Germany) and Finland — EU/EEA, ISO/IEC 27001 certified data centers. Speech-to-text and text-to-speech default to third-party EU providers; self-hosted AI models on EU dedicated machines are used only on customer selection. Databases are not internet-exposed. |
| Access control | Named per-user accounts, company-scoped data isolation, MFA for privileged remote access and source-code platforms, formal privileged-account lifecycle. Access revoked within 1 month of departure (immediately for privileged access). |
| Incident response | Customer notification within 48 hours of detection (including personal data breaches); Root Cause Analysis within 2 weeks. Incident subject prefix: [Voice Logica Security Incident]. |
| Database backups | Daily automated full MongoDB backup, compressed and streamed directly to AWS S3 eu-north-1 with AES-256 server-side encryption; retained 30 days then auto-deleted, with no backup files kept on the production server. Large operational log collections (call, activity, SIP, audit and system logs, emails) are excluded from backups and instead expire via a 7-day database TTL. |
| Business continuity | RTO 4 hours, RPO 4 hours; daily offsite database backups; disaster recovery plan reviewed at least annually. |
| Vulnerability management | Daily monitoring of vendor advisories. Remediation: critical 4 hours, high 48 hours, medium 2 months, low next release. |
| Audits | Annual third-party security audits including ISO/IEC 27001 and 27701 surveillance audits. Customer audit right with 15 business days notice (72 hours in emergencies). |
| Payments | PCI-DSS not applicable — payments processed exclusively by Stripe (PCI DSS Level 1); cardholder data never touches Voice Logica systems. |
Sub-processor register
| Name | Role | Data categories | Location | Transfer mechanism | Default |
|---|---|---|---|---|---|
| Hetzner Online GmbH | Infrastructure (dedicated servers: applications, self-hosted databases, voice stack; self-hosted AI models only on customer selection) | All hosted service data | Frankfurt (Germany) + Finland, EU/EEA | n/a (EEA) | yes |
| Amazon Web Services EMEA SARL | Object storage S3 (recordings, transcriptions, attachments) + email SES | Call recordings, transcriptions, attachments, email content | eu-north-1 (Stockholm), EU/EEA | n/a in-region; AWS DPA SCCs + DPF for any non-EEA access | yes |
| Yuboto Telephony | Telecom interconnection (call routing, SIP/VoIP, numbering, SMS) | Phone numbers, call/traffic metadata, voice content in transit | Greece, EU/EEA | n/a (EEA) | yes |
| OpenAI (OpenAI Ireland Ltd) | LLM — default dialogue/analysis provider (signed DPA); optionally Whisper STT / TTS / embeddings | Conversation text, transcriptions, prompts, call metadata | EU contracting entity; processing may occur in the US | DPA with SCCs; EU-US Data Privacy Framework | yes |
| Soniox Inc. | Speech-to-text — default provider; optionally TTS | Real-time call audio stream, transcriptions | EU data residency (default); US/JP selectable | n/a for EU residency; otherwise SCCs/DPF | yes |
| Google (Google Ireland Ltd / Google Cloud) | Speech-to-text fallback (EU region); optionally Gemini LLM, Cloud TTS, Search API | Real-time call audio stream, transcriptions | Google Cloud EU regions | Google Cloud DPA; SCCs/DPF where applicable | yes |
| ElevenLabs Inc. | Text-to-speech — default provider (EU data residency); optionally STT | Agent response text to be spoken (transient) | EU data residency (default) | n/a for EU residency; otherwise SCCs/DPF | yes |
| Microsoft Ireland Operations Ltd (Azure Speech) | Text-to-speech fallback (EU region); optionally STT | Agent response text to be spoken (transient) | Azure EU regions | Microsoft DPA (EU Data Boundary); SCCs/DPF where applicable | yes |
| Stripe Payments Europe Ltd | Billing/subscriptions (largely independent controller; card data never touches Voice Logica) | Customer billing details | EU/US | SCCs in Stripe DPA + DPF | yes |
| Anthropic PBC | LLM (on customer selection only) | Conversation text, prompts | US | DPF and/or SCCs | on request |
| xAI Corp. (Grok) | LLM (on customer selection only) | Conversation text, prompts | US | DPF and/or SCCs | on request |
| Groq Inc. | LLM (on customer selection only) | Conversation text, prompts | US | DPF and/or SCCs | on request |
| Together AI Inc. | LLM (on customer selection only) | Conversation text, prompts | US | DPF and/or SCCs | on request |
| MiniMax | LLM/TTS (on customer selection only; SCCs/TIA review required before activation for EU data) | Conversation text | Non-EEA | SCCs + Transfer Impact Assessment | on request |
| Deepgram Inc. | Speech-to-text (on customer selection only; no data retention configuration) | Real-time call audio stream | US | DPF and/or SCCs | on request |
| Speechmatics Ltd | Speech-to-text (on customer selection only) | Real-time call audio stream | United Kingdom | EU adequacy decision for the UK | on request |
| Fireworks AI Inc. | Speech-to-text (on customer selection only) | Real-time call audio stream | US (us-virginia-1) | DPF and/or SCCs | on request |
| Murf AI Inc. | Text-to-speech (on customer selection only) | Agent response text (transient) | US | DPF and/or SCCs | on request |
| Pinecone Systems Inc. | Vector database for knowledge-base RAG (on customer selection only) | Customer knowledge-base content as embeddings (not call data) | US or EU per configuration | SCCs/DPF where US | on request |
| Qdrant Solutions GmbH | Vector database for knowledge-base RAG (on customer selection only) | Customer knowledge-base content as embeddings (not call data) | Berlin (Germany) or self-hosted | n/a (EEA) | on request |