Callisi

Callisi

GDPR Compliance

Effective Date:
Aug 1, 2024
Last Updated
Aug 28, 2025

1. Executive Summary

This document demonstrates Callisi’s commitment to compliance with the General Data Protection Regulation (GDPR) and outlines our comprehensive approach to data protection. As a voice AI white-labeling platform operated by Hyperdimensional LLC, we process personal data on behalf of our agency clients while maintaining the highest standards of data protection and privacy.
Callisi serves as a data processor for voice AI interactions and related business data, implementing robust technical and organizational measures to ensure GDPR compliance across all processing activities. This document serves as both an internal compliance guide and external demonstration of our data protection commitments.

2. GDPR Compliance Framework

2.1 Regulatory Scope

Callisi’s GDPR compliance framework applies to:

  • Processing of personal data of EU residents
  • Clients operating in the European
  • Economic Area (EEA)
  • Cross-border data transfers from the EU to the United States
  • Voice AI interactions involving EU data subjects
  • Business data processing for EU-based organizations

2.2 Compliance Objectives

Our GDPR compliance program aims to:

  • Ensure lawful, fair, and transparent processing of personal data
  • Implement privacy by design and by default principles
  • Provide comprehensive data subject rights fulfillment
  • Maintain robust security measures for data protection
  • Establish clear accountability and governance structures

3. The Seven GDPR Principles

Callisi’s data processing activities adhere to the seven fundamental principles established by the GDPR:

Principle 1: Lawfulness, Fairness, and Transparency

Implementation: We process personal data only with a valid lawful basis, maintain transparency through clear privacy notices, and ensure fair processing practices that respect data subjects’ rights and expectations.

Principle 2: Purpose Limitation

Implementation: Personal data is collected for specified, explicit, and legitimate purposes and is not processed for incompatible purposes. Voice AI data is processed solely for facilitating voice interactions and related business functions.

Principle 3: Data Minimization

Implementation: We collect and process only personal data that is adequate, relevant, and limited to what is necessary for the intended purposes. Our voice AI platform accesses only essential data for service delivery.

Principle 4: Accuracy

Implementation: We maintain accurate and up-to-date personal data and provide mechanisms for data subjects to correct inaccuracies. Regular data quality checks ensure information remains current and correct.

Principle 5: Storage Limitation

Implementation: Personal data is retained only as long as necessary for the purposes for which it was collected. Our data retention policies specify clear timeframes for different categories of data.

Principle 6: Integrity and Confidentiality (Security)

Implementation: We implement appropriate technical and organizational measures to ensure data security, including encryption, access controls, and regular security assessments.

Principle 7: Accountability

Implementation: We maintain comprehensive documentation of our compliance measures, conduct regular audits, and can demonstrate compliance with GDPR requirements through policies, procedures, and records.

4. Lawful Basis for Processing

Callisi relies on the following lawful bases for processing personal data under Article 6 of the GDPR:

Processing Activity

Lawful Basis

Description

Voice AI Service Delivery

Contract (Article 6(1)(b))

Processing necessary for the performance of our service contract with our clients

Account Management

Contract (Article 6(1)(b))

Processing necessary for account setup, management, and service provision

Security Monitoring

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests in maintaining platform security

Legal Compliance

Legal Obligation (Article 6(1)(c))

Processing necessary for compliance with legal obligations

Marketing Communications

Consent (Article 6(1)(a))

Processing based on explicit consent for marketing activities

5. Data Subject Rights

Callisi respects and facilitates the exercise of all data subject rights under the GDPR:

5.1 Right to Information (Articles 13 & 14)

We provide clear and comprehensive information about data processing activities through our Privacy Policy and Data Processing agreement, ensuring data subjects understand how their data is used.

5.2 Right of Access (Article 15)

Data subjects can request access to their personal data and receive information about processing activities. We respond to access requests within 30 days and provide data in a structured, commonly used format.

5.3 Right to Rectification (Article 16)

We provide mechanisms for data subjects to correct inaccurate or incomplete personal data and ensure corrections are implemented across all processing systems.

5.4 Right to Erasure (Article 17)

Data subjects can request deletion of their personal data when legal grounds exist. We maintain clear deletion procedures and ensure complete removal from all systems within 24 hours of a valid request.

5.5 Right to Restrict Processing (Article 18)

We provide mechanisms to restrict processing when requested by data subjects under specific circumstances, including during accuracy disputes or objection procedures.

5.6 Right to Data Portability (Article 20)

Data subjects can receive their personal data in a structured, machine-readable format and request direct transfer to another controller where technically feasible.

5.7 Right to Object (Article 21)

Data subjects can object to processing based on legitimate interests or for direct marketing purposes. We provide clear objection mechanisms and cease processing unless compelling legitimate grounds exist.

5.8 Rights Related to Automated Decision-Making (Article 22)

While Callisi does not engage in automated decision-making with legal or significant effects, we maintain transparency about any AI-driven processing activities.

6. Voice AI Specific Considerations

6.1 Voice Data Processing

Callisi processes voice-related data with specific GDPR considerations:

  • Voice Recordings: We do not store actual voice recordings but maintain secure links to recordings hosted by voice AI providers directly under accounts belonging to our clients (indicated in our list of Sub-processors)
  • Voice Transcripts: Conversation transcripts are accessed via real-time APIs and not permanently stored on our servers.
  • Voice Analytics: We display analytics generated by voice AI providers without conducting independent voice analysis.
  • Voice Metadata: Call metadata is processed for dashboard display and business intelligence purposes.

6.2 Special Category Data

9.1 GDPR Rights (For EU Residents)

Voice interactions may inadvertently capture special categories of personal data (health, financial, etc.). Our approach includes:

  • Relying on agency clients to configure appropriate voice AI settings
  • Implementing data processing instructions that minimize special category data exposure
  • Providing guidance to agency clients on GDPR-compliant voice AI configurations
  • Maintaining strict access controls for any special category data processed

6.3 Consent Management for Voice Interactions

We require our clients to:

  • Obtain appropriate consent for voice recording and processing
  • Provide clear privacy notices for voice interactions
  • Implement consent withdrawal mechanisms
  • Maintain records of consent for audit purposes

7. Data Processing Activities

7.1 Personal Data Categories

Callisi processes the following categories of personal data:

  • Identity Data: Names, usernames, email addresses
  • Contact Data: Phone numbers, business addresses
  • Business Data: Company names, job titles, business domains
  • Technical Data: IP addresses, device information, usage logs
  • Communication Data: Voice call metadata, conversation summaries
  • Payment Data: Billing information (processed through Stripe)
  • Usage Data: Platform interaction data, analytics information

7.2 Processing Purposes

Personal data is processed for the following purposes:

  • Providing voice AI white-labeling services
  • Managing agency client accounts and relationships
  • Facilitating voice AI interactions and campaigns
  • Processing payments and billing operations
  • Providing customer support and technical assistance
  • Maintaining platform security and integrity
  • Conducting business analytics and service improvement
  • Ensuring legal compliance and regulatory reporting

7.3 Data Retention

Callisi maintains the following data retention schedule:

Data Category

Retention Period

Legal Basis

Account Data

Duration of service + 30 days

Contract performance

Voice Call Metadata

Duration of service + 30 days

Contract performance

System Logs

7 days

Security monitoring

Backup Data

7 days

Business continuity

Marketing Data

Until consent withdrawn

Consent

8. Technical and Organizational Measures

8.1 Technical Safeguards

  • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access control with multi-factor authentication
  • Network Security: AWS VPC isolation, firewall protection, secure API endpoints
  • Data Segregation: Logical separation of client data in multi-tenant architecture
  • Monitoring: Continuous security monitoring and anomaly detection

8.2 Organizational Measures

  • Data Protection Officer: Designated DPO responsible for GDPR compliance
  • Staff Training: Regular GDPR training for all personnel
  • Access Management: Strict access controls and need-to-know basis
  • Incident Response: Comprehensive data breach response procedures
  • Vendor Management: GDPR compliance requirements for all subprocessors

8.3 SOC 2 Type II Certification

Hyperdimensional LLC maintains SOC 2 Type II certification, demonstrating our commitment to:

  • Security controls and monitoring
  • Availability and system reliability
  • Processing integrity and accuracy
  • Confidentiality of sensitive information
  • Privacy protection measures

9. International Data Transfers

9.1 Transfer Mechanisms

Callisi ensures GDPR-compliant international data transfers through:

Standard Contractual Clauses: EU-approved SCCs for transfers to the United States
Adequacy Decisions: Reliance on EU adequacy decisions where applicable
Binding Corporate Rules: Internal data transfer governance framework
Specific Authorizations: Explicit consent for transfers where required

9.2 Third Country Processing

Data processing locations and safeguards:

Location

Service Provider

Safeguards

United States

Amazon Web Services

SOC 2, ISO 27001, Standard Contractual Clauses

United States

Stripe

PCI DSS, SOC 2, Standard Contractual Clauses

Various

Voice AI Providers

Individual DPAs and security assessments

10. Data Breach Management

10.1 Breach Detection and Response

Our comprehensive data breach management includes:

  • Detection: 24/7 monitoring systems for breach identification
  • Assessment: Rapid risk assessment and impact evaluation
  • Containment: Immediate measures to limit breach scope
  • Investigation: Thorough forensic analysis and root cause determination
  • Remediation: Implementation of corrective and preventive measures

10.2 Notification Procedures

  • Supervisory Authority: Notification within 72 hours of breach awareness
  • Data Controllers: Immediate notification to affected agency clients
  • Data Subjects: Direct notification when high risk to rights and freedoms exists

11. Accountability and Governance

11.1 Data Protection Governance

  • Data Protection Committee: Senior management oversight of GDPR compliance
  • Privacy Impact Assessments: Regular DPIA processes for new features
  • Compliance Monitoring: Continuous assessment of GDPR adherence
  • Policy Management: Regular review and update of data protection policies
  • Training Programs: Ongoing staff education on GDPR requirements

12. Contact Information and Data Subject Rights

Email:  team@callisi.com
Callisi (Hyperdimensional LLC)

13. Continuous Improvement

Callisi is committed to continuous improvement of our GDPR compliance program through:

  • Regular Reviews: Annual comprehensive reviews of all compliance measures
  • Technology Updates: Implementation of new privacy-enhancing technologies
  • Training Enhancement: Continuous improvement of staff training programs
  • Process Optimization: Streamlining of data subject rights fulfillment processes
  • Stakeholder Feedback: Regular consultation with clients and data subjects

This document represents our current GDPR compliance framework and is subject to regular review and updates to reflect evolving regulatory requirements and business practices.