Skip to content

Trust · Security and privacy

Security and privacy at Skaala — how we handle your data

An open overview of how Skaala processes personal data and call data: GDPR posture, EU-primary storage, customer-controlled recordings, encryption. We also state explicitly what we are NOT certified for.

Last updated:

Skaala is a data processor under GDPR — you as a customer are the data controller, and a Data Processing Agreement (DPA) is signed at onboarding. Personal data and call data are processed primarily in EU regions. You control recordings and transcripts directly from the dashboard. We do not claim specific industry certifications (Helsenormen, NHN, SOC 2, HIPAA) today.

GDPR — Skaala is processor, you are controller

Structured per GDPR Art. 28: you using the platform are the data controller; Skaala (AiCall AB) is your processor. A DPA is signed at onboarding (see /en/legal/dpa).

We process data only within the agreed purpose — delivering the AI phone assistant service — and do NOT use customer recordings to train general models.

For you as controller: legal basis, informed consent or another Art. 6 ground, a privacy notice covering AI use, and a process for DSAR requests.

EU data residency

Primary processing location is the EEA. That includes the primary database (accounts, bookings, contacts) and call recordings.

Some subprocessors (certain AI models, certain voice components) may have components outside the EEA. We use SCCs + TIA where relevant. Complete list in your DPA.

Subprocessors

We use a small number of subprocessors. All bound by DPA or SCCs. Changes are notified by email.

Primary subprocessors today:

  • Neon (Postgres)

    Primary database. EU region.

  • Stack Auth

    Identity and access. EU region.

  • Stripe

    Payments. PCI-DSS compliant.

  • ElevenLabs

    Voice synthesis. SCCs in place.

  • Twilio

    Telephony and SMS.

  • Vercel

    App hosting. EU-primary CDN.

  • Google (Calendar OAuth)

    Only if connected. Minimal scope.

  • Microsoft (Outlook OAuth)

    Only if connected. Minimal scope.

Call recordings and transcripts

Every inbound call is recorded. The AI opens with a clear AI + recording disclosure.

Retention is configurable in the dashboard — typical choices 90 days, 12 months, or unlimited during active subscription.

You can export individual calls, all calls for a contact, or the entire account's data. Deletion is final and covers primary storage and backups.

Encryption and access control

TLS for data in transit. Encryption at rest in the primary database and object storage.

Stack Auth-managed access per user. MFA strongly recommended for access to recordings.

Internally we have role-based access to customer data, logged on access. We never enter customer data without a concrete operational purpose.

Deletion, export, and DSAR handling

As controller you'll receive DSAR requests — access, rectification, erasure, portability. The dashboard lets you fulfill them inside the 30-day window.

Access: one-click export per contact. Rectification: edit transcripts / structured fields (original recording retained). Erasure: per call, per contact, or whole account.

Security incidents

We notify per GDPR Art. 33/34 and your DPA if an incident affects your data.

Responsible disclosure: hello@skaala.ai. No formal bug bounty today.

What Skaala is NOT certified for

Honesty over implication:

  • Healthcare (Helsenormen, NHN)

    Skaala is NOT Helsenormen-certified or connected to Norsk Helsenett. Healthcare providers: run your own risk assessment before AI handles journal data.

  • SOC 2, ISO 27001, HIPAA, PCI

    No formal SOC 2 / ISO 27001 / HIPAA attestations today. Payments routed via Stripe (PCI-DSS validated).

  • BankID, Vipps

    No BankID signing or Vipps payment in-call today.

  • Bolagsverket / Brønnøysund direct lookup

    No direct company-registry lookup today.

  • Public sector framework agreements

    No pre-approved public-sector framework today. We can do per-case adaptations.

  • Single-tenant geographic enclave

    No country-only single-tenant deployment today. EU-primary is the standard config.

Read on

Depth on legal and operational pieces:

Safe for small businesses, honest about the limits — try 7 days

Local number, GDPR DPA, EU-primary storage, recordings under your control. Payment method required at signup. Cancel anytime.