Jan 1, 2025
Jul 10, 2025
1. Executive Summary
This document demonstrates VoiceAIWrapper's commitment to compliance with the General Data Protection Regulation (GDPR) and outlines our comprehensive approach to data protection. As a voice AI white-labeling platform operated by New XP Technologies Limited, we process personal data on behalf of our agency clients while maintaining the highest standards of data protection and privacy.
VoiceAIWrapper serves as a data processor for voice AI interactions and related business data, implementing robust technical and organizational measures to ensure GDPR compliance across all processing activities. This document serves as both an internal compliance guide and external demonstration of our data protection commitments.
2. GDPR Compliance Framework
2.1 Regulatory Scope
VoiceAIWrapper's GDPR compliance framework applies to:
Processing of personal data of EU residents
Clients operating in the European Economic Area (EEA)
Cross-border data transfers from the EU to the United States
Voice AI interactions involving EU data subjects
Business data processing for EU-based organizations
2.2 Compliance Objectives
Our GDPR compliance program aims to:
Ensure lawful, fair, and transparent processing of personal data
Implement privacy by design and by default principles
Provide comprehensive data subject rights fulfillment
Maintain robust security measures for data protection
Establish clear accountability and governance structures
3. The Seven GDPR Principles
VoiceAIWrapper's data processing activities adhere to the seven fundamental principles established by the GDPR:
Principle 1: Lawfulness, Fairness, and Transparency
Implementation: We process personal data only with a valid lawful basis, maintain transparency through clear privacy notices, and ensure fair processing practices that respect data subjects' rights and expectations.
Principle 2: Purpose Limitation
Implementation: Personal data is collected for specified, explicit, and legitimate purposes and is not processed for incompatible purposes. Voice AI data is processed solely for facilitating voice interactions and related business functions.
Principle 3: Data Minimization
Implementation: We collect and process only personal data that is adequate, relevant, and limited to what is necessary for the intended purposes. Our voice AI platform accesses only essential data for service delivery.
Principle 4: Accuracy
Implementation: We maintain accurate and up-to-date personal data and provide mechanisms for data subjects to correct inaccuracies. Regular data quality checks ensure information remains current and correct.
Principle 5: Storage Limitation
Implementation: Personal data is retained only as long as necessary for the purposes for which it was collected. Our data retention policies specify clear timeframes for different categories of data.
Principle 6: Integrity and Confidentiality (Security)
Implementation: We implement appropriate technical and organizational measures to ensure data security, including encryption, access controls, and regular security assessments.
Principle 7: Accountability
Implementation: We maintain comprehensive documentation of our compliance measures, conduct regular audits, and can demonstrate compliance with GDPR requirements through policies, procedures, and records.
4. Lawful Basis for Processing
VoiceAIWrapper relies on the following lawful bases for processing personal data under Article 6 of the GDPR:
Processing Activity | Lawful Basis | Description |
|---|---|---|
Voice AI Service Delivery | Contract (Article 6(1)(b)) | Processing necessary for the performance of our service contract with our clients |
Account Management | Contract (Article 6(1)(b)) | Processing necessary for account setup, management, and service provision |
Security Monitoring | Legitimate Interests (Article 6(1)(f)) | Processing necessary for our legitimate interests in maintaining platform security |
Legal Compliance | Legal Obligation (Article 6(1)(c)) | Processing necessary for compliance with legal obligations |
Marketing Communications | Consent (Article 6(1)(a)) | Processing based on explicit consent for marketing activities |
5. Data Subject Rights
VoiceAIWrapper respects and facilitates the exercise of all data subject rights under the GDPR:
5.1 Right to Information (Articles 13 & 14)
We provide clear and comprehensive information about data processing activities through our Privacy Policy and Data Processing agreement, ensuring data subjects understand how their data is used.
5.2 Right of Access (Article 15)
Data subjects can request access to their personal data and receive information about processing activities. We respond to access requests within 30 days and provide data in a structured, commonly used format.
5.3 Right to Rectification (Article 16)
We provide mechanisms for data subjects to correct inaccurate or incomplete personal data and ensure corrections are implemented across all processing systems.
5.4 Right to Erasure (Article 17)
Data subjects can request deletion of their personal data when legal grounds exist. We maintain clear deletion procedures and ensure complete removal from all systems within 24 hours of a valid request.
5.5 Right to Restrict Processing (Article 18)
We provide mechanisms to restrict processing when requested by data subjects under specific circumstances, including during accuracy disputes or objection procedures.
5.6 Right to Data Portability (Article 20)
Data subjects can receive their personal data in a structured, machine-readable format and request direct transfer to another controller where technically feasible.
5.7 Right to Object (Article 21)
Data subjects can object to processing based on legitimate interests or for direct marketing purposes. We provide clear objection mechanisms and cease processing unless compelling legitimate grounds exist.
5.8 Rights Related to Automated Decision-Making (Article 22)
While VoiceAIWrapper does not engage in automated decision-making with legal or significant effects, we maintain transparency about any AI-driven processing activities.
6. Voice AI Specific Considerations
6.1 Voice Data Processing
VoiceAIWrapper processes voice-related data with specific GDPR considerations:
Voice Recordings: We do not store actual voice recordings but maintain secure links to recordings hosted by voice AI providers directly under accounts belonging to our clients (indicated in our list of Sub-processors)
Voice Transcripts: Conversation transcripts are accessed via real-time APIs and not permanently stored on our servers.
Voice Analytics: We display analytics generated by voice AI providers without conducting independent voice analysis.
Voice Metadata: Call metadata is processed for dashboard display and business intelligence purposes.
6.2 Special Category Data
Voice interactions may inadvertently capture special categories of personal data (health, financial, etc.). Our approach includes:
Relying on agency clients to configure appropriate voice AI settings
Implementing data processing instructions that minimize special category data exposure
Providing guidance to agency clients on GDPR-compliant voice AI configurations
Maintaining strict access controls for any special category data processed
6.3 Consent Management for Voice Interactions
We require our clients to:
Obtain appropriate consent for voice recording and processing
Provide clear privacy notices for voice interactions
Implement consent withdrawal mechanisms
Maintain records of consent for audit purposes
7. Data Processing Activities
7.1 Personal Data Categories
VoiceAIWrapper processes the following categories of personal data:
Identity Data: Names, usernames, email addresses
Contact Data: Phone numbers, business addresses
Business Data: Company names, job titles, business domains
Technical Data: IP addresses, device information, usage logs
Communication Data: Voice call metadata, conversation summaries
Payment Data: Billing information (processed through Stripe)
Usage Data: Platform interaction data, analytics information
7.2 Processing Purposes
Personal data is processed for the following purposes:
Providing voice AI white-labeling services
Managing agency client accounts and relationships
Facilitating voice AI interactions and campaigns
Processing payments and billing operations
Providing customer support and technical assistance
Maintaining platform security and integrity
Conducting business analytics and service improvement
Ensuring legal compliance and regulatory reporting
7.3 Data Retention
VoiceAIWrapper maintains the following data retention schedule:
Data Category | Retention Period | Legal Basis |
|---|---|---|
Account Data | Duration of service + 30 days | Contract performance |
Voice Call Metadata | Duration of service + 30 days | Contract performance |
System Logs | 7 days | Security monitoring |
Backup Data | 7 days | Business continuity |
Marketing Data | Until consent withdrawn | Consent |
8. Technical and Organizational Measures
8.1 Technical Safeguards
Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
Access Controls: Role-based access control with multi-factor authentication
Network Security: AWS VPC isolation, firewall protection, secure API endpoints
Data Segregation: Logical separation of client data in multi-tenant architecture
Monitoring: Continuous security monitoring and anomaly detection
8.2 Organizational Measures
Data Protection Officer: Designated DPO responsible for GDPR compliance
Staff Training: Regular GDPR training for all personnel
Access Management: Strict access controls and need-to-know basis
Incident Response: Comprehensive data breach response procedures
Vendor Management: GDPR compliance requirements for all subprocessors
8.3 SOC 2 Type II Certification
New XP Technologies Limited maintains SOC 2 Type II certification, demonstrating our commitment to:
Security controls and monitoring
Availability and system reliability
Processing integrity and accuracy
Confidentiality of sensitive information
Privacy protection measures
9. International Data Transfers
9.1 Transfer Mechanisms
VoiceAIWrapper ensures GDPR-compliant international data transfers through:
Standard Contractual Clauses: EU-approved SCCs for transfers to the United States
Adequacy Decisions: Reliance on EU adequacy decisions where applicable
Binding Corporate Rules: Internal data transfer governance framework
Specific Authorizations: Explicit consent for transfers where required
9.2 Third Country Processing
Data processing locations and safeguards:
Location | Service Provider | Safeguards |
|---|---|---|
United States | Amazon Web Services | SOC 2, ISO 27001, Standard Contractual Clauses |
United States | Stripe | PCI DSS, SOC 2, Standard Contractual Clauses |
Various | Voice AI Providers | Individual DPAs and security assessments |
10. Data Breach Management
10.1 Breach Detection and Response
Our comprehensive data breach management includes:
Detection: 24/7 monitoring systems for breach identification
Assessment: Rapid risk assessment and impact evaluation
Containment: Immediate measures to limit breach scope
Investigation: Thorough forensic analysis and root cause determination
Remediation: Implementation of corrective and preventive measures
10.2 Notification Procedures
VoiceAIWrapper maintains strict notification timelines:
Supervisory Authority: Notification within 72 hours of breach awareness
Data Controllers: Immediate notification to affected agency clients
Data Subjects: Direct notification when high risk to rights and freedoms exists
Documentation: Comprehensive breach register and reporting
10.3 Breach Prevention
Proactive measures to prevent data breaches:
Regular security assessments and penetration testing
Employee security training and awareness programs
Incident response drills and tabletop exercises
Continuous monitoring and threat intelligence
Regular review and update of security measures
11. Accountability and Governance
11.1 Data Protection Governance
VoiceAIWrapper maintains robust governance structures:
Data Protection Committee: Senior management oversight of GDPR compliance
Privacy Impact Assessments: Regular DPIA processes for new features
Compliance Monitoring: Continuous assessment of GDPR adherence
Policy Management: Regular review and update of data protection policies
Training Programs: Ongoing staff education on GDPR requirements
11.2 Documentation and Records
Comprehensive documentation maintained for accountability:
Records of processing activities (Article 30)
Data protection impact assessments
Consent records and withdrawal tracking
Data subject rights request logs
Breach incident reports and responses
Staff training records and certifications
Vendor compliance assessments
11.3 Regular Audits and Reviews
Systematic compliance verification through:
Annual GDPR compliance audits
Quarterly privacy risk assessments
Monthly security control reviews
Continuous monitoring of processing activities
Regular review of sub-processor compliance
12. Contact Information and Data Subject Rights
Data Protection Officer
SP Parasar
Email: team@newxp.co
VoiceAIWrapper (New XP Technologies Limited, HK)
12.1 Exercising Data Subject Rights
Data subjects can exercise their rights by:
Contacting us at team@newxp.co
Submitting requests through our support channel (in-app)
Contacting the agency representative (for end-user rights)
12.2 Response Timeframes
We are committed to responding to data subject requests within:
30 days for access, rectification, and portability requests
24 hours for erasure requests and objection requests
72 hours for restriction of processing requests
13. Continuous Improvement
VoiceAIWrapper is committed to continuous improvement of our GDPR compliance program through:
Regular Reviews: Annual comprehensive reviews of all compliance measures
Technology Updates: Implementation of new privacy-enhancing technologies
Training Enhancement: Continuous improvement of staff training programs
Process Optimization: Streamlining of data subject rights fulfillment processes
Stakeholder Feedback: Regular consultation with clients and data subjects
This document represents our current GDPR compliance framework and is subject to regular review and updates to reflect evolving regulatory requirements and business practices.
For our current Data Processing Agreement (DPA, with SCC), please refer to this link.