Handling of data flow and storage of personal data

In 2018, new legislation on the GDPR (personal data act) came into force. This meant that you now had to take decisions on your data to a much greater extent than before. For quite some time, cloud solutions have been growing and, together with more focus on data handling, this places great demands on CleverCall.ai’s handling of data. In 2022 came the decision of Schrems-II, which made great demands on cloud solutions. In order to meet the Danish Data Protection Authority’s requirements, CleverCall.ai provides several options when it comes to hosting data. As a starting point, CleverCall.ai only hosts EU-owned companies to ensure data security.

CleverCall.ai does not need to record conversations, but transcribes them. As a starting point, all personal data is stored, but it is possible to set up filters when it comes to sensitive personal data (Race and ethnic origin, Political beliefs, Religious or philosophical beliefs, Trade union affiliations, Genetic data, Biometric data for the purpose of unique identification, Health information, Sexual relationships or sexual orientation). This is anonymized immediately. In general, you have the option to set up a timed process yourself for when data must be anonymized.

Storage of personal data

Data in motion: Here the data stream is encrypted via certificate.

Data at rest: Data is stored and processed by ScanNet in Denmark.

At rest: Personal data is stored exclusively in the EU. The parent company of the cloud suppliers/sub-processors used are European companies.

In motion: The used cloud providers with services in the EU encrypt the data stream with a certificate. Encrypted data flow takes place exclusively at data centers in the EU.

The latest guidance from the Norwegian Data Protection Authority on Cloud places additional requirements on the data controller to ensure that no transfer takes place to unsafe third countries, despite the fact that only data centers located in the EU/EEA are used. Suppliers with a parent company in unsafe third countries, including the USA, are subject to legislation which means that the supplier must hand over the data controller’s personal data on request.

Description and handling of data

Supplementary explanation for ISAE3000, risk assessment and data processing agreement:

Sound is divided into 4 general categories:

Incoming:

1. General speech, which does not contain sensitive personal data in speech.

2. Personal data, including name, email, telephone number and any sensitive personal data.

Outbound:

3. Static predefined data (Answer). For example, opening hours, prices for passports, official guidelines, etc.

4. Dynamic data, which may contain static data and personal data.

Data logging and anonymization can be set up in two different ways:

1. With the exception of telephone numbers, we do not store personal data. Here, only the telephone number is saved and used in connection with documentation for invoicing, and it is subsequently deleted. No personal data is stored.

2. Data is saved and anonymized in the interval you want. Here you decide for yourself how long personal data must be stored. There is a “Forget me” function where it is possible to delete specific personal data.

Storage of personal data (data in motion, data at rest):

Data in motion: Here, the data stream is encrypted via certificate.

Data at rest: Data is stored and processed in ScanNet in Denmark.

In summary

Based on the above description, we can conclude that we comply with the applicable and described guidelines.

At rest: Personal data is stored exclusively in the EU. The parent companies of the cloud suppliers/sub-processors used are European companies.

In motion: The used cloud providers with services in the EU encrypt the data stream with a certificate. Encrypted data flow takes place exclusively at data centers in the EU.