Information Security Whitepaper
SalesKong is committed to delivering a secure, compliant, and innovative platform that enables organizations to capture, analyze, and derive actionable insights from recorded conversations. This whitepaper details our comprehensive security framework, our technical and organizational measures, and our adherence to global data protection regulations—including GDPR and the emerging EU AI Act—while following industry best practices.
1. Background and Context
In today’s interconnected digital environment, the secure handling of sensitive data is paramount. SalesKong processes call recordings, transcriptions, metadata, and analytical outputs on behalf of our customers. As a global provider, we understand the need for robust security and transparency to address both operational risks and regulatory requirements. This document explains our approach and demonstrates our commitment to maintaining a high level of security.
2. Purpose and Scope
Purpose
This whitepaper aims to:
• Describe SalesKong’s comprehensive information security strategy.
• Detail the technical and organizational measures that protect data.
• Clarify the roles and responsibilities between the customer (Data Controller) and SalesKong (Data Processor).
• Demonstrate our commitment to compliance with international standards, including GDPR and the EU AI Act.
Scope
This document covers:
• Data collection, processing, retention, and deletion.
• Technical controls (encryption, access management, secure infrastructure).
• Organizational measures (policies, training, incident response).
• Regulatory compliance mechanisms for GDPR, the EU AI Act, and other global data protection regulations.
• Continuous improvement processes and audit practices.
3. Security Governance and Framework
SalesKong’s information security framework is built on a multi-layered approach integrating policies, procedures, and technologies to protect customer data.
Governance Structure
• Executive Oversight: Our senior leadership, including the Chief Executive Officer (CEO), oversees security policies and strategic initiatives.
• Security Committees: Regular meetings with cross-functional teams ensure alignment of security, compliance, and operational objectives.
• Risk Management: A continuous risk assessment process identifies threats and ensures that appropriate controls are implemented.
Security Standards and Certifications
• International Standards: While we have not acquired ISO/IEC 27001 or SOC 2 certifications, we closely follow their guidelines to ensure robust security controls.
• Compliance Frameworks: Our processes ensure compliance with GDPR, the EU AI Act, and other applicable data protection regulations.
4. Roles and Responsibilities
A clear delineation of responsibilities ensures that data protection is managed effectively.
Customer as Data Controller
• Decision Authority: Customers determine the purpose and methods of data collection, including which conversations are recorded and how the data is used.
• Compliance Responsibilities: Customers are responsible for obtaining necessary consents, informing participants, and ensuring legal compliance.
• Data Subject Rights: Customers must handle requests from data subjects regarding access, correction, or deletion of their data.
SalesKong as Data Processor
• Processing on Behalf: SalesKong processes data strictly according to customer instructions, without defining the purpose or scope of data collection.
• Security Implementation: We implement technical and organizational measures to ensure secure data processing.
• Data Processing Agreement (DPA): Our DPA specifies that SalesKong acts solely as a Data Processor.
5. Technical Security Measures
SalesKong employs a range of technical safeguards to ensure the confidentiality, integrity, and availability of data.
Data Encryption
• In Transit: Data is transmitted securely using TLS/SSL protocols.
• At Rest: Data is encrypted using robust algorithms (e.g., AES-256).
Access Controls
• Authentication: Multi-factor authentication (MFA) is required for access to sensitive systems.
• Role-Based Access: Permissions are assigned based on user roles to ensure only authorized access.
• Audit Logging: Detailed logs track access and modifications for ongoing monitoring.
Secure Infrastructure
• Data Centers: Our data is hosted in secure, certified facilities. We use Google Cloud Platform (GCP) in Frankfurt, Europe (europe-west3), ensuring that modern physical and environmental security standards are met.
• Cloud Security: We partner with cloud providers that adhere to global security standards and undergo regular audits.
• Network Security: Advanced firewalls, intrusion detection systems, and vulnerability assessments protect our network.
6. Organizational Security Measures
In addition to technical controls, our organizational measures ensure a strong overall security posture.
Policies and Procedures
• Security Policies: Comprehensive policies govern data handling, access management, and incident response.
• Employee Training: Ongoing training ensures all employees understand their responsibilities in data security and privacy.
• Vendor Management: Third-party vendors are rigorously assessed and required to meet our security standards.
Incident Response and Management
• Incident Reporting: A formal process exists for the immediate reporting and handling of security incidents.
• Response Plan: Our incident response plan covers containment, root cause analysis, and communication with affected stakeholders.
• Post-Incident Reviews: Lessons learned are integrated to improve future security measures.
7. Data Management Practices
Effective data management is central to maintaining regulatory compliance and protecting personal data.
Data Collection and Processing
• Captured Data: We collect call recordings, transcriptions, metadata, and analytical data, processed under strict guidelines.
• Purpose Limitation: Data is processed solely for customer-defined purposes.
Data Retention and Deletion
• Retention Policies: Data is kept only as long as necessary for business or regulatory reasons.
• Deletion and Anonymization: Data is permanently deleted or anonymized when no longer needed.
International Data Transfers
• Data Residency: We primarily process your personal data in the EU. If we ever transfer personal data outside the EU, we use safeguards like Standard Contractual Clauses or rely on adequacy decisions such as the EU-U.S. Data Privacy Framework.
8. Regulatory Compliance
SalesKong maintains a strong focus on regulatory compliance through adherence to key frameworks and emerging regulations.
GDPR Compliance
• Transparency and Consent: Our platform clearly notifies users when calls are recorded. Customers are responsible for obtaining necessary consents.
• Data Subject Rights: Tools are provided to help customers manage data subject rights, including access, correction, deletion, and portability.
• DPA Enforcement: Our Data Processing Agreement enforces that SalesKong processes data solely on the customer’s behalf, in line with GDPR Article 28.
EU AI Act Considerations
• Scope and Impact: SalesKong is committed to ensuring our AI-driven analytical tools adhere to the EU AI Act, promoting transparency, accountability, and ethical use of AI.
• Risk Management: We assess AI-related risks and implement measures to mitigate any potential negative impacts on privacy and fairness.
• Transparency and Explainability: Our AI systems are designed to offer explainable outcomes where feasible, ensuring customers understand how insights are generated.
• Compliance Measures: We actively monitor developments in the EU AI Act and update our practices and contracts to ensure full compliance.
• Documentation and Governance: Detailed documentation is maintained regarding our AI systems’ design, development, and deployment in line with regulatory expectations.
9. Continuous Improvement and Audit
SalesKong is dedicated to continuously enhancing our security practices and ensuring compliance through regular audits and process improvements.
• Regular Audits: Routine internal and external audits ensure that our policies and technical measures remain effective and compliant.
• Process Improvement: Feedback mechanisms and ongoing monitoring enable us to adapt to emerging threats and evolving regulations.
• Technology Upgrades: We continuously invest in the latest security technologies and best practices to enhance our defenses.
10. Conclusion
SalesKong is dedicated to safeguarding customer data through a robust, multi-layered information security framework. By clearly defining the roles—where the customer is the Data Controller and SalesKong serves as the Data Processor—and by implementing leading technical and organizational controls, we ensure secure, transparent, and compliant data processing in accordance with GDPR, the evolving EU AI Act, and other applicable regulations.
This whitepaper reflects our commitment to continuous improvement and proactive risk management. For further inquiries or detailed discussions about our security practices, please contact team@saleskong.com.