01 ·Security & Compliance

An architecture that passes regulatory audits.

Data sovereignty. Confidentiality. Availability. Three words. Five audits. One honest answer: yes — documented, signed, re-audited yearly.

Trust center · audit report (PDF)Request DPA

ISO/IEC 27001:2022

Information security management system

Audited

ISO/IEC 42001:2023

AI management system

Audited

GDPR attestation

Independent assessment

Active

EU AI Act

High-risk classification documented

Compliant

ELGA · KBV

Healthcare approvals AT/DE

Certified

NIS2 · readiness

Critical-entity requirements met

Ready

02 · Three pillars

Data sovereignty · Confidentiality · Availability.

01 / 03

Data sovereignty

Your call data does not leave the EU. Period.

Hosted exclusively in Austria and Germany
Confidential computing in trusted execution environments
Your data is never used for training — period
DPA per Art. 28 GDPR included
Right to export & delete data any time

02 / 03

Confidentiality

Patient data, attorney-client privilege, trade secrets — all isolated.

Tenant isolation at storage and compute level
Encryption in transit (TLS 1.3) & at rest (AES-256)
Bring-your-own-key on Enterprise plan
Audit log of every data request, signed & tamper-proof
Penetration testing by external DACH providers

03 / 03

Availability

A bot that doesn't pick up isn't a bot.

SLA 99.9% (Business) / 99.95% (Enterprise)
Multi-AZ deployment across two EU regions
Carrier failover within 200 ms
Status page & maintenance notice 14 days in advance
Daily backups · 30-day point-in-time recovery

03 · Architecture

What happens when someone calls you.

Seven layers between the caller and your database. Each with its own audit log.

Layer 1

EU carrier & SIP trunk

Telekom Austria · Deutsche Telekom · TLS 1.3 encrypted

Layer 2

Edge & DDoS protection

EU-only edge cluster, geo-fenced, rate limiting

Layer 3

Tenant isolation

Dedicated namespace + encryption key per customer

Layer 4

Confidential Computing

AI inference in trusted execution environments — data unencrypted only inside the TEE

Layer 5

Storage & encryption at rest

AES-256, BYOK on Enterprise · storage in AT/DE

Layer 6

Audit log (tamper-proof)

WORM storage, signed, retention-compliant

Layer 7

Your system (CRM, calendar, PMS)

Whitelisted outbound only — you stay in control

04 · FAQ

What regulators regularly ask us.

Is my call data used to train the model?

No. Your call data is used only to deliver the service. Model updates use synthetic training data and contractually secured public-domain corpora. On Enterprise, logging can be fully disabled on request.

Where exactly is my data stored?

In certified data centres in Vienna (AT) and Frankfurt (DE). Failover stays within the EU. A list of sub-processors is part of the DPA — you're notified 30 days before any change.

How long is call data retained?

Default 30 days, configurable between 0 (immediate deletion) and 7 years (statutory tax/medical retention). Anonymised stats are kept beyond that.

What happens in a data breach?

We notify you within 24 hours — before any regulatory filing. Contractually committed incident response plan, tested yearly. €5M cyber insurance per incident.

Can I host on-premise?

Yes, on Enterprise. We ship a Kubernetes Helm chart that runs in your private cloud or data centre. Model updates via signed container.

Is Callina a medical device?

No. Callina is a communications assistant, not diagnostic/therapeutic software. For emergency triage the bot gives no medical advice — it escalates to staff or emergency services.

Trust center · full audit report.

On request we share the unredacted auditor report under NDA — including pentest results and sub-processor list.

hello@callina.ai