GDPR Status

Processing in a traceable manner for data subjects

• Documentation of type, scope and purpose of processing
• Documentation of data recipients and transfer periods
• Tenant documentation & logical data separation (Company ID)
• Documentation of mandatory deletion periods
• Documentation of all processing and sub-processing relationshipsPlanned
• Published privacy policy on the website

Data only used for specified, explicit and legitimate purposes

• Records of processing activities (RoPA)Planned
• Employee commitment to GDPR compliance
• Changes to processing only on written instruction

Data limited to what is necessary

• Privacy by Design – only necessary fields at registration
• Privacy by Default – no automatic opt-ins
• Pseudonymization – no user IDs sent to external AI providers
• Automated retention and deletion cyclesPlanned

Data factually correct and up to date

• Self-service profile editing for users
• Self-service account deletion available
• Timestamps (created_at, updated_at) & audit log on all records

Identification only possible as long as necessary

• Defined retention periods for all data categories
• Audio streamed in real time only – no recording or buffer

Protection against unauthorized access and data disclosure

• Servers in ISO 27001-certified data center (Hetzner, Frankfurt)
• 100% cloud-based – no physical office servers
• Individual user accounts with email verification
• Better Auth Framework – bcrypt hashing (10 salt rounds)
• Password policy (min. 8 characters, special characters required)
• Google OAuth / Social Login available
• Session expiration: 7 days, update after 1 day
• Automatic session timeout implemented
• Comprehensive brute-force protection & account lockout
• Two-factor authentication (2FA/MFA)Planned
• Role concept: STANDARD_USER, MANAGER, HR, ADMIN
• Logical tenant separation – Company ID-based filtering of all queries
• Differentiated admin rights with guards & middleware protection
• HTTPS/TLS for all connections (NGINX + Let's Encrypt)
• WSS for WebSocket connections (LiveKit WebRTC encrypted)
• Encrypted API communication (Bearer token authentication)
• TLS transmission to all processors (OpenAI, LiveKit, Stripe …)

Protection against unintended data modification

• Input validation (Zod for Server Actions, Pydantic in Agent Service)
• SQL injection protection (Prisma ORM with prepared statements)
• XSS protection via React auto-escaping
• File upload validation (type check & size limit 5–10 MB)
• Stripe webhook signature verification
• Rate limiting at application level

Data accessible and usable at all times

• Automatic daily backups (S3 Frankfurt, EU)
• PostgreSQL 16 on dedicated server
• Prometheus metrics & performance monitoring (no user data in logs)
• Documented recovery process
• Regular recovery tests

System resilience ensured on an ongoing basis

• Container-based infrastructure (Docker) – isolated services
• NGINX reverse proxy (load handling & request routing)
• Watchdog mechanisms (120s timeout, automatic session cleanup)
• Hard-cap maximum session duration: 3,600 seconds (1 hour)

Demonstrating compliance with all data protection principles

• Records of processing activities (RoPA)Planned
• Data Protection Officer (DPO)Planned
• Audit log (AuditLog table with IP, user agent, timestamps, old/new values)
• Logging of all login events (login history with IP & user agent)
• JSON-structured logs without sensitive data

Special protective measures for AI-powered voice processing

• Audio streamed in real time only – no recording, no buffer
• No user IDs / emails / company names sent to AI providers (OpenAI, OpenRouter)
• Transcripts for evaluation transmitted to OpenRouter without user name