Skip to main content

DPO procurement checklist

Ten questions your DPO will ask.

The questions a Data Protection Officer or procurement team typically raises before approving a voice AI vendor — each with our honest answer and a link to the page where you can verify it.

This page is general information about Audact, not legal advice.

  1. 1

    Where is our data hosted?

    Platform data is hosted on AWS Frankfurt (eu-central-1) — physically in the EU. AWS is US-incorporated, so we disclose CLOUD Act exposure openly and publish a roadmap to fully EU-native hosting (Hetzner Germany targeted July 2026).

    EU-native stack roadmap
  2. 2

    Who are your sub-processors?

    We publish the full sub-processor list — provider, country, function, and data category — and notify customers 30 days before adding a new one. Each transfer outside the EEA is covered by Standard Contractual Clauses.

    Sub-processor list
  3. 3

    Is a Data Processing Agreement (DPA) available?

    Yes. Our GDPR Article 28-aligned DPA covers scope of processing, sub-processors, security measures, audit rights, and breach notification. It is available for review before signing.

    Read the DPA
  4. 4

    What are your retention periods, and can data be deleted?

    Retention is per-customer configurable. Default is 90 days for call audio and a longer period for the cryptographic evidence chain to meet audit needs. On an erasure request, personal data is removed via per-subject key destruction (crypto-shredding), so expired data is rendered unreadable.

    Records of processing (ROPA)
  5. 5

    How do you handle GDPR data-subject and deletion requests?

    We assist customers (as processor) with data-subject access, portability, and erasure requests. Routes for each are published, with privacy@audact.ai as the contact for data-subject matters.

    Deletion request route
  6. 6

    Do you support EU AI Act Article 50 disclosure, and is there evidence?

    Yes. Article 50 disclosure runs per call and is attested in the per-call evidence receipt. You can download an anonymised sample receipt (PDF + JSON) and inspect the evidence chain yourself before signing anything.

    Walk a sample receipt
  7. 7

    What is your breach / incident process?

    We operate an incident-response process with regulatory notification within the GDPR 72-hour window and an on-call rotation. Security disclosures go to security@audact.ai under a responsible-disclosure policy.

    Security summary
  8. 8

    How is data encrypted and access controlled?

    TLS 1.3 in transit, AES-256 at rest, and per-subject key encryption for personal data. Access uses role-based access control with mandatory MFA for admin access and a retained audit log.

    Security summary
  9. 9

    What certifications do you hold or plan?

    We are GDPR-compliant today. ISO 27001 is in progress and ISO 42001 and SOC 2 Type II are planned for 2027. We state status honestly rather than implying certifications we do not yet hold.

    Trust Center
  10. 10

    Where can procurement get everything in one place?

    The Trust Center collects the DPA, sub-processor list, Article 50 templates, ROPA, and security summary — all of these in one place for your procurement file.

    Trust Center

The one-minute proof

Hand your DPO the exact receipt they inspect.

Download an anonymised sample of the per-call evidence receipt — the same artifact a DPO or auditor reviews — as PDF and JSON.

Everything procurement needs, in one place.

The Trust Center collects the DPA, sub-processor list, Article 50 templates, ROPA, and security summary — or start white-glove onboarding when you're ready.