Data Processing Agreement (DPA)
Callina is a processor as defined in Art. 28 GDPR. We provide every business customer with a signed DPA — using our standard template or yours.
Six building blocks, no fine print.
EU hosting
Hosting exclusively in certified EU data centres in Vienna (Austria) and Frankfurt (Germany). Data does not leave the EU.
Technical & organisational measures
Encryption in transit (TLS 1.3) and at rest (AES-256), tenant isolation, confidential computing in TEE, signed WORM audit log, regular pentests by external DACH providers.
Sub-processors
A full, up-to-date list of sub-processors is part of the DPA. You are notified 30 days before any change and have a right to object.
No data used for training
Your call data is NOT used to train the model — contractually committed. Model updates use synthetic training data and contractually secured public-domain corpora.
Retention & deletion
Default retention 30 days, configurable between 0 (immediate deletion) and 7 years. Right to export and delete data any time via API or written request.
Incident response
Notification within 24 hours, before any regulatory filing. Contractually committed, annually tested incident-response plan. €5M cyber insurance per incident.
Disclaimer: This page provides a content overview. Only the signed DPA is legally binding. Please request it before contract conclusion. Data Protection Officer reachable at hello@callina.ai.