Trust Center – Security & Data Protection

Convertr is designed from the ground up to meet the security, compliance, and reliability requirements expected by IT, Security, DPO, and Finance teams.


1. Architecture & Encryption

Data isolation

Convertr is built on a multi-tenant SaaS architecture with strict logical isolation.

Each client's data is partitioned, with no possibility of cross-access.

  • Logical isolation per client
  • Access restricted according to the principle of least privilege
  • No application-level pooling of sensitive data

Data encryption

Data is protected throughout its lifecycle:

  • In transit: TLS 1.2+ encryption
  • At rest: AES-256 encryption
  • Backups: encrypted and stored on certified cloud infrastructure

Data is hosted on infrastructure located in the European Union and/or the United States, operated by providers compliant with market security standards (SOC 2 / ISO 27001).

Secrets management

Access to third-party platforms (Meta Ads, Google Ads, voice/AI APIs) is protected by:

  • Secure digital vault
  • Restricted and audited access
  • API key rotation and revocation
  • No keys exposed in plaintext client-side

2. GDPR Compliance & Responsible AI Use

Clear GDPR framework

Convertr operates under a strict contractual framework:

  • Convertr: Data Processor
  • Client: Data Controller

We provide:

  • a DPA compliant with Article 28 GDPR,
  • Standard Contractual Clauses (SCC – EU 2021/914) for transfers outside the EU,
  • a documented list of sub-processors (Retell, Twilio, OpenAI, Cloud).

Voice data & consent

AI voice features comply with applicable regulatory requirements:

  • Recording disclosure configured before the call (pre-call disclosure)
  • Recordings used only for contractual purposes
  • Limited retention: automatic deletion of audio (default ≤ 90 days, configurable)
  • Transcripts and metrics anonymized for improvement purposes

Google user data, including Google Calendar data, is excluded from these improvement datasets and is not used for AI model training, advertising, profiling, or unrelated database creation.

No voice data is used for public model training.

Explainable & non-decisional AI

Convertr's AI systems:

  • are probabilistic,
  • make no autonomous legal or financial decisions,
  • do not fall within the scope of Article 22 GDPR (no critical automated decision-making).

3. Autopilot Governance & Financial Security

Unlike "black box" solutions, Convertr integrates technical and contractual safeguards to protect client budgets.

Budget controls

  • Budget Cap: strict monthly ceiling, technically unbreachable
  • Stop-Loss: automatic halt if CPA exceeds a defined threshold
  • Progressive throttling when drift is detected

Traceability & auditability

  • Complete audit logs for every automated action (bids, pauses, adjustments)
  • Timestamped and queryable history
  • Reversible actions (rollback)
  • Clear separation between AI recommendations and final decisions

AI optimizes, but never spends outside the framework validated by the client.


4. Incident Management & Continuity

Detection & response

Convertr has formalized incident management procedures:

  • Continuous monitoring of technical and financial anomalies
  • Automated detection of critical events (e.g., spend spike, AI degradation)
  • Automated runbooks for immediate containment

Notification & communication

  • Prompt client notification for significant incidents
  • GDPR notification deadlines met (≤ 48h if personal data is affected)
  • Post-incident documentation available on request

Availability & resilience

  • Availability target: 99.5% monthly (excluding planned maintenance)
  • Regular encrypted backups
  • Restoration procedures tested periodically

5. Transparency & Audits

Convertr is ISO 27001 / SOC 2 ready:

  • Security controls aligned with ISO/IEC 27001
  • ISO 27001 ↔ SOC 2 mapping available
  • Contractually governed audit rights (documentary audit priority)

The following documents can be provided upon request:

  • Enterprise DPA
  • Security Annex
  • Incident Response Plan
  • ISO 27001 / SOC 2 Mapping