Security and trust

GDPR position

• DPA available for client agencies.
• Article 30 register maintained internally.
• DPIA screening completed for the real-estate voice-agent use case.
• No client data is used to train an AI model without separate written agreement.

Technical measures

• TLS encryption in transit.
• Restricted admin access and MFA to be enforced on production tools.
• Supabase database with RLS and server-side service-role endpoints.
• Limited and controlled PII exports in the admin.
• No public Google Drive links for recordings.

Default retention

• Audio: 30 days maximum if the client enables recording.
• Transcripts: 90 days.
• Summaries and call history: 12 months.
• Caller memory: 12 months or deletion on request.

Incident

Security incidents can be reported to privacy@onecallflow.com. In case of a personal-data breach, OneCallFlow follows an assessment, mitigation and client notification process where required.