Calloptima Logo Calloptima

Processing & Security

Last updated: April 20, 2026

1. Data Processing Agreement (DPA)

Calloptima operates as a Data Processor or Sub-processor for our clients under the General Data Protection Regulation (GDPR) and other applicable privacy laws. We only process personal data on documented instructions from our clients, who act as the Data Controllers.

A formal Data Processing Agreement (DPA) is executed alongside our consulting agreements or Statements of Work (SOWs) before any access to Personal Identifiable Information (PII) or Protected Health Information (PHI) is granted.

2. Scope of Processing

During consulting engagements, we may process:

  • Client Contact Data: Names, emails, and business details of your team members for communication and billing purposes.
  • System Audit Data: Anonymized or pseudonymized call logs, system architecture diagrams, and performance metrics required to deliver our advisory services.

We strongly advise clients to redact or anonymize all PII and PHI from datasets, logs, and recordings before sharing them with Calloptima for analysis.

3. Security Measures

We implement robust technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard algorithms (e.g., AES-256).
  • Access Control: Access to client data is strictly limited to authorized personnel on a "least privilege" basis. Multi-Factor Authentication (MFA) is enforced across all internal systems.
  • Data Minimization: We only collect, process, and retain data that is strictly necessary for the performance of our consulting services.
  • Secure Deletion: Upon completion or termination of an engagement, all client data is securely deleted or returned in accordance with the DPA.

4. Sub-processors

Calloptima may engage third-party sub-processors to assist in delivering our services (e.g., secure cloud hosting, email delivery). We ensure that all sub-processors are subject to strict confidentiality and data protection obligations that mirror our own commitments under GDPR.

5. Data Breach Notification

In the unlikely event of a personal data breach affecting client data, we will notify the affected Data Controller without undue delay (and in any event within 48 hours of becoming aware of the breach) and provide all necessary cooperation to assist with regulatory reporting obligations.

6. Contact the Data Protection Officer

For any questions regarding our data processing practices, security measures, or to request a copy of our standard DPA, please contact us at piotr@calloptima.com.