Convertr LogoConvertr

Trust Center – Security & Data Protection

Convertr is designed from the ground up to meet the security, compliance, and reliability requirements expected by IT, Security, DPO, and Finance teams.

1. Architecture & Encryption

Data isolation

Convertr is built on a multi-tenant SaaS architecture with strict logical isolation.

Each client's data is partitioned, with no possibility of cross-access.

  • Logical isolation per client
  • Access restricted according to the principle of least privilege
  • No application-level pooling of sensitive data

Data encryption

Data is protected throughout its lifecycle:

  • In transit: TLS 1.2+ encryption
  • At rest: AES-256 encryption
  • Backups: encrypted and stored on certified cloud infrastructure

Data is hosted on infrastructure located in the European Union and/or the United States, operated by providers compliant with market security standards (SOC 2 / ISO 27001).

Secrets management

Access to third-party platforms (Meta Ads, Google Ads, voice/AI APIs) is protected by:

  • Secure digital vault
  • Restricted and audited access
  • API key rotation and revocation
  • No keys exposed in plaintext client-side

2. GDPR Compliance & Responsible AI Use

Clear GDPR framework

Convertr operates under a strict contractual framework:

  • Convertr: Data Processor
  • Client: Data Controller

We provide:

  • a DPA compliant with Article 28 GDPR,
  • Standard Contractual Clauses (SCC – EU 2021/914) for transfers outside the EU,
  • a documented list of sub-processors (Retell, Twilio, OpenAI, Cloud).

Voice data & consent

AI voice features comply with applicable regulatory requirements:

  • Recording disclosure configured before the call (pre-call disclosure)
  • Recordings used only for contractual purposes
  • Limited retention: automatic deletion of audio (default ≤ 90 days, configurable)
  • Transcripts and metrics anonymized for improvement purposes

No voice data is used for public model training.

Explainable & non-decisional AI

Convertr's AI systems:

  • are probabilistic,
  • make no autonomous legal or financial decisions,
  • do not fall within the scope of Article 22 GDPR (no critical automated decision-making).

3. Autopilot Governance & Financial Security

Unlike "black box" solutions, Convertr integrates technical and contractual safeguards to protect client budgets.

Budget controls

  • Budget Cap: strict monthly ceiling, technically unbreachable
  • Stop-Loss: automatic halt if CPA exceeds a defined threshold
  • Progressive throttling when drift is detected

Traceability & auditability

  • Complete audit logs for every automated action (bids, pauses, adjustments)
  • Timestamped and queryable history
  • Reversible actions (rollback)
  • Clear separation between AI recommendations and final decisions

AI optimizes, but never spends outside the framework validated by the client.

4. Incident Management & Continuity

Detection & response

Convertr has formalized incident management procedures:

  • Continuous monitoring of technical and financial anomalies
  • Automated detection of critical events (e.g., spend spike, AI degradation)
  • Automated runbooks for immediate containment

Notification & communication

  • Prompt client notification for significant incidents
  • GDPR notification deadlines met (≤ 48h if personal data is affected)
  • Post-incident documentation available on request

Availability & resilience

  • Availability target: 99.5% monthly (excluding planned maintenance)
  • Regular encrypted backups
  • Restoration procedures tested periodically

5. Transparency & Audits

Convertr is ISO 27001 / SOC 2 ready:

  • Security controls aligned with ISO/IEC 27001
  • ISO 27001 ↔ SOC 2 mapping available
  • Contractually governed audit rights (documentary audit priority)

The following documents can be provided upon request:

  • Enterprise DPA
  • Security Annex
  • Incident Response Plan
  • ISO 27001 / SOC 2 Mapping