Data Exporter:
SantaClues AS (Processor)
Data Importer:
OpenAI, L.L.C.
Importer Role:
Subprocessor providing large language model (LLM) services.
SantaClues transmits transcript text derived from customer sales calls to OpenAI models for automated conversational analysis and generation of coaching insights.
Processing operations may include:
Transcript content may contain personal data depending on the nature of the conversation.
The transfer occurs as part of the normal operation of the SantaClues service.
The following categories of data may be transmitted:
Audio recordings are generally processed by transcription providers prior to LLM analysis.
Prompt logs containing transcript excerpts may be stored internally within SantaClues systems during defined operational retention windows.
The transfer is necessary to enable:
These operations form a core part of the SantaClues platform functionality.
Transfers occur:
Transcript data stored within SantaClues systems is retained for 30 days unless deleted earlier.
Operational logs containing prompt inputs or outputs are retained for shorter defined periods for debugging and system integrity purposes.
OpenAI operates under the jurisdiction of the United States.
Relevant legal frameworks include:
These frameworks permit targeted government access to data held by certain electronic communication service providers under defined legal processes.
Such authorities generally focus on communications infrastructure providers rather than SaaS platforms processing business application data.
No evidence has been identified suggesting routine government access to conversational analysis workloads of the type processed by SantaClues.
SantaClues relies on the Standard Contractual Clauses (EU 2021/914) for transfers to OpenAI.
The SCCs impose obligations including:
The SCCs are incorporated into the SantaClues Data Processing Agreement.
Safeguards applied to transferred data include:
Data transmitted to subprocessors is protected using TLS-encrypted connections.
Access to production infrastructure and operational data is restricted through:
Production systems are protected by access restrictions and are not publicly accessible without authentication.
SantaClues enforces defined retention limits including:
No automated pseudonymisation or PII redaction is performed prior to transfer because transcript content must remain readable for conversational analysis.
SantaClues has assessed whether supplementary technical measures such as encryption or pseudonymisation prior to transfer could be implemented.
Due to the functional requirements of conversational analysis performed by LLM providers, transcript content must remain readable by the processing service.
As a result, end-to-end encryption or prior pseudonymisation would render the service non-functional.
The transfer therefore relies primarily on contractual safeguards under the Standard Contractual Clauses, together with organisational safeguards including access controls and defined retention limits.
Considering:
the risk of disproportionate government access is assessed as low but not negligible.
The data processed primarily relates to business sales conversations and does not typically involve large-scale consumer datasets or categories of data likely to be of intelligence interest.
The transfer mechanism relying on:
provides an appropriate level of protection under GDPR Chapter V.
Residual risk remains due to the legal environment of the United States but is considered manageable within the SCC framework.
Data Exporter:
SantaClues AS (Processor)
Data Importer:
Groq Inc.
Importer Role:
Subprocessor providing large language model (LLM) inference infrastructure used for conversational analysis.
SantaClues may transmit transcript text derived from customer sales calls to language models hosted on Groq infrastructure for automated conversational analysis and behavioural signal detection.
Processing operations may include:
Transcript content may contain personal data depending on the content of the conversation.
The transfer occurs as part of the normal operation of the SantaClues service.
The following categories of personal data may be transmitted:
Audio recordings themselves are not transmitted to Groq as part of LLM analysis.
Prompt logs containing transcript excerpts may be stored internally within SantaClues systems during defined operational retention windows.
The transfer is necessary to enable:
These operations form a core part of the SantaClues platform functionality.
Transfers may occur:
Transcript data stored within SantaClues systems is retained for 30 days unless deleted earlier.
Operational prompt logs are retained for shorter defined operational periods.
Groq Inc. operates under the jurisdiction of the United States.
Relevant legal frameworks include:
These authorities allow targeted government access to data held by certain electronic communication service providers under defined legal processes.
Such frameworks generally focus on communications infrastructure providers rather than SaaS platforms processing business application workloads.
No evidence has been identified suggesting routine government access to AI inference services processing transcript analysis workloads of this type.
SantaClues relies on the Standard Contractual Clauses (EU 2021/914) for transfers to Groq.
The SCCs impose obligations including:
The SCCs are incorporated into the SantaClues Data Processing Agreement.
Safeguards applied to transferred data include:
Data transmitted to subprocessors is protected using TLS-encrypted connections.
Access to production infrastructure and operational data is restricted through:
Production systems are protected by access restrictions and are not publicly accessible without authentication.
SantaClues enforces defined retention limits including:
No automated pseudonymisation or PII redaction is performed prior to transfer because transcript content must remain readable for conversational analysis.
SantaClues has assessed whether supplementary technical measures such as encryption or pseudonymisation prior to transfer could be implemented.
Due to the functional requirements of conversational analysis performed by LLM providers, transcript content must remain readable by the processing service.
As a result, end-to-end encryption or prior pseudonymisation would render the service non-functional.
The transfer therefore relies primarily on contractual safeguards under the Standard Contractual Clauses, together with organisational safeguards including access controls and defined retention limits.
Considering:
the risk of disproportionate government access is assessed as low but not negligible.
The data processed primarily relates to business sales conversations and does not typically involve large-scale consumer datasets or categories of data likely to be of intelligence interest.
The transfer mechanism relying on:
provides an appropriate level of protection under GDPR Chapter V.
Residual risk remains due to the legal environment of the United States but is considered manageable within the SCC framework.
Data Exporter:
SantaClues AS (Processor)
Data Importer:
xAI Corp.
Importer Role:
Subprocessor providing large language model (LLM) inference services used for conversational analysis.
SantaClues may transmit transcript text derived from customer sales calls to language models hosted by xAI for automated conversational analysis and behavioural signal detection.
Processing operations may include:
Transcript content may contain personal data depending on the nature of the conversation.
The transfer occurs as part of the normal operation of the SantaClues service.
The following categories of personal data may be transmitted:
Audio recordings themselves are not transmitted to xAI for LLM analysis.
Prompt logs containing transcript excerpts may be stored internally within SantaClues systems during defined operational retention windows.
The transfer is necessary to enable:
These operations form a core part of the SantaClues platform functionality.
Transfers may occur:
Transcript data stored within SantaClues systems is retained for 30 days unless deleted earlier.
Operational prompt logs are retained for shorter defined operational periods.
xAI Corp. operates under the jurisdiction of the United States.
Relevant legal frameworks include:
These frameworks allow targeted government access to data held by certain electronic communication service providers under defined legal processes.
Such authorities generally focus on communications infrastructure providers rather than SaaS platforms processing business application workloads.
No evidence has been identified suggesting routine government access to AI inference services processing transcript analysis workloads of this type.
SantaClues relies on the Standard Contractual Clauses (EU 2021/914) for transfers to xAI.
The SCCs impose obligations including:
The SCCs are incorporated into the SantaClues Data Processing Agreement.
Safeguards applied to transferred data include:
Data transmitted to subprocessors is protected using TLS-encrypted connections.
Access to production infrastructure and operational data is restricted through:
Production systems are protected by access restrictions and are not publicly accessible without authentication.
SantaClues enforces defined retention limits including:
No automated pseudonymisation or PII redaction is performed prior to transfer because transcript content must remain readable for conversational analysis.
SantaClues has assessed whether supplementary technical measures such as encryption or pseudonymisation prior to transfer could be implemented.
Due to the functional requirements of conversational analysis performed by LLM providers, transcript content must remain readable by the processing service.
As a result, end-to-end encryption or prior pseudonymisation would render the service non-functional.
The transfer therefore relies primarily on contractual safeguards under the Standard Contractual Clauses, together with organisational safeguards including access controls and defined retention limits.
Considering:
the risk of disproportionate government access is assessed as low but not negligible.
The data processed primarily relates to business sales conversations and does not typically involve large-scale consumer datasets or categories of data likely to be of intelligence interest.
The transfer mechanism relying on:
provides an appropriate level of protection under GDPR Chapter V.
Residual risk remains due to the legal environment of the United States but is considered manageable within the SCC framework.
Data Exporter:
SantaClues AS (Processor)
Data Importer:
Soniox Inc.
Importer Role:
Subprocessor providing speech-to-text (STT) transcription services.
SantaClues transmits live audio streams from sales calls to Soniox for real-time transcription. The resulting transcript text is returned to SantaClues systems for further processing and analysis.
Processing operations may include:
Audio streams may contain personal data disclosed during conversations.
The transfer occurs as part of the normal operation of the SantaClues platform.
The following categories of personal data may be transmitted:
The audio stream is processed for transcription and converted into transcript text that is returned to SantaClues systems.
The transfer is necessary to enable:
Speech-to-text processing is a required step in the SantaClues processing pipeline prior to transcript analysis.
Transfers occur:
Audio data is streamed to the transcription service during the call and processed in real time.
Audio may be temporarily written to disk during transcription processing within SantaClues infrastructure but is not retained as a permanent recording in the platform.
Transcript text generated from the audio is retained within SantaClues systems for 30 days unless deleted earlier.
Soniox Inc. operates infrastructure globally, which may include processing within the United States depending on the service endpoint used.
Relevant U.S. legal frameworks include:
These authorities allow targeted government access to data held by certain electronic communication service providers under defined legal processes.
Such authorities generally focus on communications infrastructure providers rather than SaaS services processing application-level data.
No evidence has been identified suggesting routine government access to speech-to-text workloads processing business application data of this type.
SantaClues relies on the Standard Contractual Clauses (EU 2021/914) for transfers to Soniox.
The SCCs impose obligations including:
The SCCs are incorporated into the SantaClues Data Processing Agreement.
Safeguards applied to transferred data include:
Audio streams transmitted to the transcription service are protected using TLS-encrypted connections.
Access to production infrastructure and operational data is restricted through:
Production systems are protected by authentication requirements and access restrictions.
SantaClues enforces defined retention limits including:
Audio data used for transcription is processed in real time and is not stored permanently within the SantaClues platform.
SantaClues has assessed whether supplementary technical measures such as encryption or pseudonymisation prior to transfer could be implemented.
Due to the functional requirements of speech-to-text processing, audio streams must remain readable by the transcription service during processing.
As a result, end-to-end encryption or prior pseudonymisation would render transcription services non-functional.
The transfer therefore relies primarily on contractual safeguards under the Standard Contractual Clauses, together with organisational safeguards including access controls and defined retention limits.
Considering:
the risk of disproportionate government access is assessed as low but not negligible.
The data processed primarily relates to business sales conversations and does not typically involve categories of data likely to be of intelligence interest.
The transfer mechanism relying on:
provides an appropriate level of protection under GDPR Chapter V.
Residual risk remains due to the legal environment of the United States but is considered manageable within the SCC framework.