Compliance-ready: GDPR, TCPA, CCPA.
Documents, not promises — across every market we serve. Voice AI built to meet EU data protection (GDPR) and US consumer protection laws (TCPA, CCPA/CPRA) out of the box.
Data Processing Agreement — EU clients
Art. 28 GDPR-compliant DPA template, signed at engagement and back-to-back with our sub-processors (Google Cloud, Cloudflare, Airtable, Resend). Available on request for signature with your DPO.
Data Processing Agreement — US clients
Master Services Agreement and Data Processing Addendum aligned with CCPA/CPRA "service provider" obligations. Available on request for signature with your privacy team.
TCPA compliance (Telephone Consumer Protection Act)
Our voice agents handle inbound calls only by default. For any outbound calling or SMS configured by the client, the agent enforces documented prior express written consent capture, DNC (Do Not Call) list scrubbing, time-of-day restrictions (8am–9pm local time), and automatic opt-out keyword handling. Full TCPA policy available at /tcpa-policy.
CCPA / CPRA notice
Where SmartVolve processes personal information of California residents on behalf of a client, we act as a "service provider" under CCPA §1798.140(ag). Consumer rights requests (access, deletion, opt-out of sale/share) flow through the client as business owner. Full notice available at /ccpa-notice.
DPIA Ready Pack
Pre-compiled assistance pack ex GDPR Art. 35 so your DPO can finalise the Data Protection Impact Assessment quickly: system architecture, data categories, risk register, mitigation measures, residual-risk statement.
Records of Processing — Art. 30
Two registers maintained: one as data controller (website forms, newsletter, cookies) and one as data processor (B2B voice agent for each client). Made available to supervisory authorities on request.
Retention and true anonymisation
Identifiable transcripts pseudonymised at 30 days; immediately after, free-text fields run through a regex-based NER pass and the pseudonymisation map is dropped — the record is irreversibly anonymous (GDPR Recital 26). Audio never stored by default.
Regional data residency
EU clients: application infrastructure on Google Cloud, EU region. Cross-border transfers covered by EU-U.S. Data Privacy Framework certification, Standard Contractual Clauses and a documented Transfer Impact Assessment. US clients: a US-region Google Cloud deployment is available on request — no transatlantic transfer required for US-only deployments.
Sub-processor list
Detailed list provided to clients inside the signed DPA / MSA. General written authorisation with prior notice and right to object before any change, per Art. 28(2) GDPR.
Data breach response
Notification to the client (data controller / business owner) within 24 hours of becoming aware, with the information they need to meet the Art. 33 GDPR 72-hour notification to the supervisory authority or applicable US state breach-notification statutes.
Want the full documents?
We send the complete compliance pack — DPA / MSA, DPIA Ready Pack, records of processing, sub-processor list, TCPA opt-in workflow, CCPA service-provider terms — within 1 business day.