Technical and Organisational Measures

Last changed: Feb 27th, 2026

Annex II

(Annex II to the Data Processing Agreement)

This Annex forms part of the Data Processing Agreement between SantaClues (Processor) and the Controller.

(Article 32 GDPR)

I. Introduction and Scope

This document describes the technical and organisational measures implemented by SantaClues in its capacity as a data processor under Article 28 GDPR.

These measures are implemented in accordance with Article 32 GDPR, taking into account:

  • The nature, scope, context, and purposes of processing;
  • The types of personal data processed (including call transcript content that may contain personal data);
  • The risks to the rights and freedoms of natural persons.

SantaClues provides a real-time and post-call sales coaching system involving:

  • Audio streaming for transcription;
  • Transcription of calls;
  • Processing of transcript text through rule-based systems and large language model (LLM) providers;
  • Storage of transcripts and related metadata;
  • Logging of prompt interactions;
  • Generation of reports and exports;
  • Automated retention and deletion mechanisms.

These measures reflect the operational characteristics documented in the internal compliance record .

II. Processing Overview

SantaClues processes the following categories of data:

  • Audio streams of sales calls;
  • Transcribed call content (text);
  • Derived metrics, scoring outputs, and coaching indicators;
  • Prompt inputs and outputs related to LLM-based analysis;
  • User account data;
  • Organisational metadata;
  • System and operational logs.

Operational characteristics:

  • Audio is streamed to external transcription providers.
  • Audio may be temporarily written to disk during transcription processing.
  • Transcripts are stored in a managed PostgreSQL database.
  • Transcript text is transmitted to LLM providers for scoring and coaching.
  • LLM prompt inputs and outputs are logged:
    • In database tables (30-day retention);
    • In file-based logs stored on production infrastructure (7-day retention, automated cleanup).
  • Primary transcript and content data are retained for 30 days unless deleted earlier.
  • Daily database backups are maintained with 7-day rolling retention.
  • User deletion, organisation purge, and DSAR export mechanisms are implemented.

No mandatory anonymisation, pseudonymisation, or pre-LLM redaction is performed.

III. Security Objectives (Article 32(1))

The measures described support:

1. Confidentiality

Prevention of unauthorised access through authentication controls, access restriction, encrypted transmission, and production infrastructure access limitation.

2. Integrity

Prevention of unauthorised modification through controlled database access, structured data persistence, restricted administrative privileges, and advisory locking for critical background jobs.

3. Availability

Use of managed hosting infrastructure and database services designed to maintain service continuity and reduce risk of data loss.

4. Resilience

Logical separation of organisational data, managed infrastructure services, and automated retention and cleanup processes to reduce operational risk exposure.

5. Restoration Capability

Daily database backups with 7-day rolling retention enable restoration of production data in case of infrastructure failure.

6. Testing and Evaluation (Article 32(1)(d))

SantaClues performs periodic internal review of technical and organisational measures in connection with:

  • Material system updates;
  • Infrastructure changes;
  • Introduction of new subprocessors;
  • Identified security incidents or operational anomalies.

Security controls are reviewed to assess continued appropriateness relative to processing risks and operational scope.

IV. Technical Measures

1. Infrastructure Security

  • Application hosted on DigitalOcean infrastructure.
  • Managed PostgreSQL database service.
  • Managed Redis service for short-term state caching.
  • DigitalOcean Spaces used for object storage (exports).
  • Logical isolation between production services.
  • Administrative access to production infrastructure restricted to designated individuals.
  • Mandatory two-factor authentication (TOTP) for administrative access.

Production and local development environments are separated. No shared credentials are permitted.

Infrastructure region selection is configurable. EU-only routing is not technically enforced by default.

2. Access Control

  • Authenticated user access required for platform use.
  • Role-based access control at organisation level.
  • Logical separation of organisational data within the database.
  • Administrative endpoints restricted to designated admin roles.
  • Super-admin privileges restricted to specific authorised individuals.
  • Elevated deletion operations require explicit confirmation and appropriate privileges.

Production infrastructure and log access are restricted to authorised personnel only. Access is not publicly exposed and is protected by authentication controls.

3. Data Transmission Protection

  • TLS encryption for API traffic.
  • Secure WebSocket connections for audio streaming.
  • Authenticated API endpoints for internal and external access.

No end-to-end encryption beyond TLS transport is implemented.

4. Data Storage Protection

  • Transcripts stored in managed PostgreSQL database.
  • Derived data stored in structured database tables.
  • Prompt logs stored:
    • In database (30-day retention);
    • In file-based production logs (7-day retention with automated cleanup).
  • Redis call state cached with 2-hour TTL.
  • Temporary audio files (WAV) may be written during transcription and are deleted after processing; retention runner removes residual files older than 1 day.

File-based prompt logs are stored on production infrastructure and are not externally accessible. Access is restricted to authorised personnel.

No automatic anonymisation or pseudonymisation layer is implemented.

5. Logging and Monitoring

  • LLM prompt interactions logged in database (30-day retention).
  • File-based prompt logs retained for 7 days with automated cleanup.
  • Retention runner executes daily cleanup of:
    • Expired transcripts;
    • Prompt logs;
    • Temporary audio files;
    • Raw metrics.
  • Advisory database locks prevent concurrent execution conflicts for retention and job runners.

Logging is used for operational integrity, troubleshooting, and auditability. Log access is restricted and not available to end users or external parties.

6. Backup and Restoration

  • Daily database backups.
  • 7-day rolling backup retention.
  • Backups are infrastructure-managed and not accessible to end users.
  • Backups are not used for active production processing.

In the event of restoration from backup, SantaClues performs a reconciliation review to identify and re-apply deletion requests received during the backup retention window.

7. Data Deletion Controls

Implemented deletion mechanisms include:

  • User-initiated account deletion (background job);
  • Organisation-level permanent purge (OWNER role);
  • Admin-level permanent deletion (super-admin);
  • Daily automated retention cleanup;
  • DSAR export generation with delete-after-download mechanism;
  • Report exports stored temporarily and deleted after delivery.

Deletion applies to primary production data stores, including:

  • Transcripts;
  • Prompt logs stored in database;
  • Derived metrics linked to deleted entities;
  • Object storage exports;
  • Temporary files within defined retention windows.

Billing and legally required financial records are excluded from application-level purge.

V. Organisational Measures

1. Processor Role

SantaClues acts solely as a data processor.
Controllers determine lawful basis and remain responsible for transparency and legality of call recording and transcription.

2. Access Governance

  • Production access limited to designated personnel.
  • Mandatory 2FA for administrative access.
  • Role-based privilege assignment.
  • Access granted on least-privilege basis relative to operational need.
  • Elevated deletion operations require explicit authorisation.

Access privileges are reviewed in connection with material organisational or infrastructure changes.

3. Subprocessor Management

SantaClues engages subprocessors for:

  • Cloud infrastructure;
  • Database hosting;
  • Object storage;
  • Transcription services;
  • LLM processing.

Subprocessors are subject to contractual data protection obligations, including Data Processing Agreements where required.

Where personal data is transferred outside the EEA, Standard Contractual Clauses are relied upon and Transfer Impact Assessments are conducted.

Subprocessors are formally listed in a separate annex.

4. Data Subject Rights Handling

  • Self-service DSAR export for users.
  • Account deletion functionality.
  • Organisation-level purge functionality.
  • Background job processing for deletion requests.
  • Exports stored temporarily and deleted after download.

Requests received from controllers are processed in accordance with contractual obligations.

5. Incident Handling

SantaClues maintains internal procedures for identifying, assessing, and responding to personal data incidents.

Incidents are evaluated to determine whether they constitute a personal data breach under GDPR.

Where a personal data breach is identified, the relevant controller will be notified without undue delay to enable compliance with Articles 33 and 34 GDPR.

VI. International Data Transfers

Certain subprocessors may process personal data outside the European Economic Area.

EU-only processing is not enforced by system architecture.

Where personal data is transferred to third countries, SantaClues relies on:

  • Standard Contractual Clauses (SCCs);
  • Transfer Impact Assessments (TIAs).

Details are provided in the Subprocessor Annex and related transfer documentation.

VII. Limitations and Scope of Measures

The following operational characteristics are material:

  • Transcripts may contain personal data.
  • No mandatory PII redaction or anonymisation is performed prior to storage or LLM processing.
  • LLM providers receive transcript content for scoring and coaching functionality.
  • Prompt logs (database and file-based) may contain transcript excerpts.
  • File-based prompt logging is continuously enabled and retained for 7 days with automated deletion.
  • Audio may be temporarily written to disk during transcription.
  • Backups are retained for 7 days and are not instantly purgeable.

Controllers remain responsible for:

  • Establishing lawful basis;
  • Providing privacy notices;
  • Ensuring lawful recording and transcription in their jurisdiction.

VIII. Review and Updates

These measures are reviewed in connection with material infrastructure changes, introduction of new subprocessors, or significant modifications to processing operations.

Updated versions supersede prior versions where applicable.

Risk Considerations

  • Transcript content may contain personal data and is transmitted to external LLM providers.
  • Continuous prompt logging increases short-term exposure within defined retention windows.
  • EU-only routing is not enforced by default.
  • Backup retention creates temporary residual data persistence.
  • No automated redaction layer is implemented.

These risks are addressed through access controls, defined retention limits, deletion automation, contractual safeguards, and documented reconciliation procedures.

Real-Time Coaching That Helps Every Sales Rep Sell Smarter. Like a seasoned coach in your corner — only this one listens quietly, learns fast, and gives your reps the right nudge at the perfect moment.

Menu
Home
Features
FAQ
Pricing
System
Log in
Sign up
Dashboard
Contact
hello@santaclues.ai
Santa Claus, 123 Elf Road, North Pole, 88888
© 2026 🎅 SantaClues | All rights reserved
Compliance center
Privacy policy
Terms and conditions
Made with 🧙 by Swml