Data Processing Overview (Processor ROPA)
Summarizes what customer data we handle through our product, and how it flows through our systems.
Last updated: May 16, 2025
Processing Activity | Purpose | Data Subjects | Categories of Data Processed | Subprocessors | Storage Locations | Retention Period | Security Measures |
User Interaction Logging | Monitor user interactions for diagnostics/support | End-users of customer's websites/apps | IP addresses, session metadata, page views, or any custom fields provided by the customer | Mixpanel, Grafana | EU | Depends on pricing; defaults to 14 months | TLS encryption, data anonymization, access control |
Call Handling (Real-time) | Real-time audio/video interactions | End-users of customer's websites/apps | Audio/video streams, connection metadata | daily.co | EU/USA | Not stored; live relay only | TLS encryption, no persistent storage |
Co-browsing Sessions | Enable real-time co-browsing support | End-users of customer's websites/apps | Cursor movements, DOM elements, page metadata | Upscope | EU/USA | Not stored; live relay only | TLS encryption, no persistent storage |
Call Recording | Allow customers to review interactions | End-users of customer's websites/apps | Audio/video recordings, participant metadata | daily.co, MongoDB Atlas | EU, Germany | Customer-defined; default 30 days | Encrypted storage, access restrictions |
User Authentication | Verify and manage end-user sessions | End-users of customer's websites/apps | Email, hashed passwords, IP addresses, session tokens, or any custom fields provided by the customer | Heroku, MongoDB Atlas | USA, Germany | Until deletion | Encryption at rest and transit, strict access control |
Error Logging | Monitor and troubleshoot application errors | End-users of customer's websites/apps | Error reports, session identifiers, request metadata | Grafana | EU | 30 days | TLS encryption, limited access |
IP Geolocation | Enhance user experience based on geographic data | End-users of customer's websites/apps | IP addresses, city, country, ISP | Ipstack | Germany | Real-time; no persistent storage | Real-time processing, no long-term retention |
Custom Data Fields | Provide session context, personalization, or analytics | End-users of customer's websites/apps | Names, emails, user IDs, form inputs, free-text fields | MongoDB Atlas | Germany | Customer-defined or same as associated activity
| Encrypted storage, access restrictions |
Notes:
- Processing activities are explicitly aligned with customer instructions.
- Custom fields may be configured by the Controller or submitted directly by end users through embedded components (e.g., forms, chat, call prep widgets).
- Data retention periods are set according to customer agreements and can be modified upon request.
- Data transfers outside EEA are secured using GDPR-compliant safeguards (e.g., SCCs).
- Security measures adhere to GDPR standards for processors, with clear and transparent safeguards.
Last updated on May 16, 2025