Data protection, GDPR & DPA

Data protection, GDPR & security

Telenow gives voice AI teams GDPR- and UK GDPR-aligned data protection: encryption, RBAC access control, audit logging, configurable retention, and export/erasure across every call, recording, transcript and contact. You are the data controller and Telenow the processor; a Data Processing Agreement (DPA) is available on request. This page describes current capabilities — for contractual commitments, see Getting a DPA.

Roles: who is the controller and who is the processor

For the personal data in your calls and contacts, you are the data controller and Telenow is the data processor acting on your instructions. You decide what to collect, why, and for how long; Telenow provides the platform and the controls to store, export and delete it. Sub-processors (your chosen LLM, speech, and telephony providers) process data on the same basis — because Telenow is bring-your-own-provider, you choose which sub-processors are in your stack.

What data is processed

DataExamplesControls
Call media & transcriptsRecordings, STT transcripts, AI summariesRecording can be turned off per agent; exportable; deletable
Caller memoryRolling summaries, a facts ledger per callerConfigurable TTL; can be disabled or cleared — see Caller memory
Contacts & campaign listsPhone numbers, names, custom fieldsYou upload and can delete them; suppression via DNC
Account & usageTeam members, API keys, usage eventsRBAC-scoped; audit log of sensitive actions

GDPR-aligned handling

Telenow follows GDPR-aligned data-handling practices:

  • Lawful basis is yours to set. As controller you establish consent or another lawful basis for calling and recording; Telenow gives you the tools to record and honor it (see US calling compliance and DNC).
  • Data minimisation & retention. Keep only what you need: disable recording per agent, set a caller-memory TTL, and delete calls, recordings and contacts you no longer need.
  • Right of access & portability. Export call history as CSV and recordings as signed URLs at any time — see Calls & insights — so you can satisfy a data-subject access request.
  • Right to erasure. Delete recordings, caller-memory records and contacts on request; releasing a number removes its mappings. For a bulk or verified erasure request, contact us.
  • Encryption & access control. All data is encrypted in transit (TLS), and secrets, carrier credentials and API keys are encrypted at rest (AES-GCM). Access is role-based (RBAC) across your workspace, and sensitive actions are recorded in the audit log.

On certifications. Telenow operates with encryption, access control and audit logging throughout, and follows GDPR-aligned processing. Formal certifications such as SOC 2 and ISO 27001 are on the roadmap rather than in hand today — if a certification is a hard requirement for your procurement, talk to us about timelines and what we can commit to in a DPA.

US privacy (CCPA/CPRA) and HIPAA

The same controls that support GDPR requests also serve US state privacy laws such as the CCPA/CPRA (California) and similar regimes: you can access and export a consumer's data (CSV + signed URLs), delete it on request, and honor opt-outs via the DNC list. As with GDPR, you are the business/controller and Telenow the service provider/processor.

Healthcare (HIPAA). Telenow is not HIPAA-certified and does not sign BAAs today. If you are handling protected health information (PHI), talk to us via Contact sales about scope before building — don't assume PHI can be processed on a standard plan.

Hosting & data residency

Telenow runs on major cloud infrastructure, and calls are processed through the LLM, speech and telephony providers you choose — so the geography of processing depends in part on your stack (for example, some providers offer regional endpoints). If you have a specific data-residency requirement (EU-only processing, a particular region, or restrictions on which sub-processors may be used), contact us before you build so we can confirm what is achievable for your configuration. We would rather scope this up front than surprise you later.

Sub-processors

Because Telenow is provider-neutral, your sub-processor list is a function of your configuration — the model, speech (STT/TTS) and carrier you select, plus any integrations and MCP servers your agents call. Choosing providers with the data-protection posture and regional options you need is part of designing a compliant deployment. Ask us for the current list of Telenow's own infrastructure sub-processors for your DPA.

Getting a DPA

A Data Processing Agreement is available on request. It sets out the processor obligations, the sub-processors, security measures, and data-subject-request handling in contractual terms. Request one through Contact sales or your account contact, and reference any specific residency or certification requirements so we can address them directly.