DPO procurement checklist
Ten questions your DPO will ask.
The questions a Data Protection Officer or procurement team typically raises before approving a voice AI vendor — each with our honest answer and a link to the page where you can verify it.
This page is general information about Audact, not legal advice.
- 1
Where is our data hosted?
Platform data is hosted on AWS Frankfurt (eu-central-1) — physically in the EU. AWS is US-incorporated, so we disclose CLOUD Act exposure openly and publish a roadmap to fully EU-native hosting (Hetzner Germany targeted July 2026).
EU-native stack roadmap - 2
Who are your sub-processors?
We publish the full sub-processor list — provider, country, function, and data category — and notify customers 30 days before adding a new one. Each transfer outside the EEA is covered by Standard Contractual Clauses.
Sub-processor list - 3
Is a Data Processing Agreement (DPA) available?
Yes. Our GDPR Article 28-aligned DPA covers scope of processing, sub-processors, security measures, audit rights, and breach notification. It is available for review before signing.
Read the DPA - 4
What are your retention periods, and can data be deleted?
Retention is per-customer configurable. Default is 90 days for call audio and a longer period for the cryptographic evidence chain to meet audit needs. On an erasure request, personal data is removed via per-subject key destruction (crypto-shredding), so expired data is rendered unreadable.
Records of processing (ROPA) - 5
How do you handle GDPR data-subject and deletion requests?
We assist customers (as processor) with data-subject access, portability, and erasure requests. Routes for each are published, with privacy@audact.ai as the contact for data-subject matters.
Deletion request route - 6
Do you support EU AI Act Article 50 disclosure, and is there evidence?
Yes. Article 50 disclosure runs per call and is attested in the per-call evidence receipt. You can download an anonymised sample receipt (PDF + JSON) and inspect the evidence chain yourself before signing anything.
Walk a sample receipt - 7
What is your breach / incident process?
We operate an incident-response process with regulatory notification within the GDPR 72-hour window and an on-call rotation. Security disclosures go to security@audact.ai under a responsible-disclosure policy.
Security summary - 8
How is data encrypted and access controlled?
TLS 1.3 in transit, AES-256 at rest, and per-subject key encryption for personal data. Access uses role-based access control with mandatory MFA for admin access and a retained audit log.
Security summary - 9
What certifications do you hold or plan?
We are GDPR-compliant today. ISO 27001 is in progress and ISO 42001 and SOC 2 Type II are planned for 2027. We state status honestly rather than implying certifications we do not yet hold.
Trust Center - 10
Where can procurement get everything in one place?
The Trust Center collects the DPA, sub-processor list, Article 50 templates, ROPA, and security summary — all of these in one place for your procurement file.
Trust Center
The one-minute proof
Hand your DPO the exact receipt they inspect.
Download an anonymised sample of the per-call evidence receipt — the same artifact a DPO or auditor reviews — as PDF and JSON.
Everything procurement needs, in one place.
The Trust Center collects the DPA, sub-processor list, Article 50 templates, ROPA, and security summary — or start white-glove onboarding when you're ready.