Data Protection Impact Assessment (summary)
Last updated: 2026-06-11
Why a DPIA
Large-scale processing of voice recordings by an AI system can be high-risk under GDPR Art. 35, so we maintain a DPIA.
Processing described
AI assistants place / receive calls on behalf of clients, record and transcribe them, and extract structured outcomes.
Necessity & proportionality
Processing is limited to the client's instructions and the campaign purpose; data minimisation and retention limits apply.
Risks & mitigations
- Unauthorised access to recordings / transcripts → encryption, access control, tenant isolation.
- Lack of caller awareness → AI / recording disclosure (see that page) and consent controls.
- International transfer → SCCs + Transfer Impact Assessment.
- Over-retention → configurable retention + automatic purge + erasure on request.
Residual risk
Assessed as acceptable with the controls above. This summary is a template — a full DPIA should be completed with counsel for each high-risk use case.